Reader Mailbag: Passwords

My previous posts about passwords here and here generated a lot of emails, Facebook messages and even phone calls.  In today's post, I'm going to answer some of those questions. If you have a password question, just leave a comment below or use the contact form on this site and I'll try to answer it as well.  All these questions are being shared with permission from the person who wrote them.

Password image

Here's the first question: "After reading your password post I downloaded 1Password.  It was hard to figure out how to make passwords but once I did I noticed my bank won't let me create a good password (1Password colors it yellow).  Is my account safe?"

Great question!  I have noticed a disturbing trend with banks, insurance companies, payroll processors and similar sites to have really poor password policies.  These sites have access to some of our most sensitive data and you would expect them to have password policies that allowed very secure passwords.  Instead, you often find that passwords must be at least 6-8 characters with a maximum of 12-16, and very few special characters are permitted.  Of course, this means such a password is much lower entropy than the passwords a password manager can produce and manage.

Part of this is based on the laws and change management systems that banks and health organizations have to follow.  It takes a long time and a lot of work to certify an authentication system in these industries.  Also, in the case of banks your account is monitored much more closely than a typical web account for abnormal activity.  That said, I believe these industries should modernize their password policies.

Now, how do you protect yourself on sites that won't take good passwords?  I tag all my weaker passwords with the term "quarterly."  If you don't use 1Password, you could do something as simple as making a list of these sites by hand.  Whenever it's the first day of a new season, I change all these passwords - given bad operators a smaller window to compromise my account.

Several people asked a variant of this question: "I created a good password that I can remember.  Is it safe for me to just add something to the end of this password for each site I use to make it easier to log in?"

In one case, I was actually emailed the password for examination!  This brings me to my first point: don't share your password with anyone, and never email a password.  Email is transmitted in plain text, and it is possible to intercept emails in some cases.  Don't email passwords.

Now, our goal is to have better password practices, not perfection.  By creating a passphrase with high entropy you've already made yourself a less attractive target. With that said, I think it's a bad idea to reuse any portion of a password.  Remember, you don't know how a given company or website will store your password.  It's possible they are storing it in plain text, or encrypting it in a way where it can be converted to plain text with a key.  If that site is compromised and they gain access to your passphrase it can be used as the basis for an attack on your other accounts.  Suddenly your security is reduced to those extra digits–which are probably shorter than a normal password.

I like the thinking, but you are better off using a password manager and completely unique passwords.

Now a question about email & passwords: "you mentioned you have an email and password for every account. My iTunes and gmail are the same email. One time I logged into my iTunes account and saw all my contact and billing info had been switched to some random other person. No charges every appeared on my card and went ahead and changed my password for both accounts. 

But if I were to create a ----itunes@gmail (for example) could I forward those emails (iTunes receipts etc) to my ----gmail@gmail account. Or is that safe? I'm assuming if a hacker got into the iTunes account they'd see the forwarding/backup email and start hacking it..."

I mentioned that I create unique email addresses for password recovery for critical accounts.  I do this because most sites use email as a mechanism for restoring account access for lost passwords.  If you have one email address and all your accounts use it for recovery, that email account becomes a single point of failure in your security chain.  Even worse, in this age of mobility someone doesn't need your password to get your email.  Your unsecured mobile phone will give them all the access they need.

That's why I create a dedicated email account for each service I use that has the power to charge my credit card.  Each of these email accounts has a unique, strong password.  All of them are stored in my 1Password vault.  If you forward these emails to your main email account, you defeat the security model.  Password resets generally happen via an emailed URL–you want to keep an attacker from getting access to this URL.

Now if someone gets into an account and learns you what email account is used for recovery they still have to compromise that system to get access to that email.  That's not easy.  They have to compromise the system enough to gain access to the actual password hash.  That means a compromised email account makes it easy to gain access to other accounts, but the reverse is not true at all.

Our last question is sharp, and one I've only considered recently.  "I've gone back and changed all my passwords.  It took me three days.  I noticed that all the sites seem to use the same security questions.  What's the point of working so hard on passwords if my mother's maiden name and my childhood pet are all that someone needs to change my password?"

In this age of social media, the answers to most security questions may be just a Google search and some clicking from discovery.  This is a powerful way to gain access to accounts, and to the reader's point it absolutely undermines our secure passwords.  What to do?


Don't give the actual data.  Instead, use your password manager to generate unique answers to these questions and then store the question and the answer in the notes of the password record.  For example, if the question is "What is your maternal grandmother's maiden name," set the answer to something like "why7vusp5spe5ja6zub" and save both with the password you created for that site.  I'm in the process of doing this for my accounts, starting with email, banking and healthcare and then moving to less vital accounts.

It's a lot of work to secure your digital identity, but it's much less work than recovering from a breach or identity theft.  Kudos to everyone who is doing the work.