Reader Mailbag: Passwords

My previous posts about passwords here and here generated a lot of emails, Facebook messages and even phone calls.  In today's post, I'm going to answer some of those questions. If you have a password question, just leave a comment below or use the contact form on this site and I'll try to answer it as well.  All these questions are being shared with permission from the person who wrote them.

Password image

Here's the first question: "After reading your password post I downloaded 1Password.  It was hard to figure out how to make passwords but once I did I noticed my bank won't let me create a good password (1Password colors it yellow).  Is my account safe?"

Great question!  I have noticed a disturbing trend with banks, insurance companies, payroll processors and similar sites to have really poor password policies.  These sites have access to some of our most sensitive data and you would expect them to have password policies that allowed very secure passwords.  Instead, you often find that passwords must be at least 6-8 characters with a maximum of 12-16, and very few special characters are permitted.  Of course, this means such a password is much lower entropy than the passwords a password manager can produce and manage.

Part of this is based on the laws and change management systems that banks and health organizations have to follow.  It takes a long time and a lot of work to certify an authentication system in these industries.  Also, in the case of banks your account is monitored much more closely than a typical web account for abnormal activity.  That said, I believe these industries should modernize their password policies.

Now, how do you protect yourself on sites that won't take good passwords?  I tag all my weaker passwords with the term "quarterly."  If you don't use 1Password, you could do something as simple as making a list of these sites by hand.  Whenever it's the first day of a new season, I change all these passwords - given bad operators a smaller window to compromise my account.

Several people asked a variant of this question: "I created a good password that I can remember.  Is it safe for me to just add something to the end of this password for each site I use to make it easier to log in?"

In one case, I was actually emailed the password for examination!  This brings me to my first point: don't share your password with anyone, and never email a password.  Email is transmitted in plain text, and it is possible to intercept emails in some cases.  Don't email passwords.

Now, our goal is to have better password practices, not perfection.  By creating a passphrase with high entropy you've already made yourself a less attractive target. With that said, I think it's a bad idea to reuse any portion of a password.  Remember, you don't know how a given company or website will store your password.  It's possible they are storing it in plain text, or encrypting it in a way where it can be converted to plain text with a key.  If that site is compromised and they gain access to your passphrase it can be used as the basis for an attack on your other accounts.  Suddenly your security is reduced to those extra digits–which are probably shorter than a normal password.

I like the thinking, but you are better off using a password manager and completely unique passwords.

Now a question about email & passwords: "you mentioned you have an email and password for every account. My iTunes and gmail are the same email. One time I logged into my iTunes account and saw all my contact and billing info had been switched to some random other person. No charges every appeared on my card and went ahead and changed my password for both accounts. 

But if I were to create a ----itunes@gmail (for example) could I forward those emails (iTunes receipts etc) to my ----gmail@gmail account. Or is that safe? I'm assuming if a hacker got into the iTunes account they'd see the forwarding/backup email and start hacking it..."

I mentioned that I create unique email addresses for password recovery for critical accounts.  I do this because most sites use email as a mechanism for restoring account access for lost passwords.  If you have one email address and all your accounts use it for recovery, that email account becomes a single point of failure in your security chain.  Even worse, in this age of mobility someone doesn't need your password to get your email.  Your unsecured mobile phone will give them all the access they need.

That's why I create a dedicated email account for each service I use that has the power to charge my credit card.  Each of these email accounts has a unique, strong password.  All of them are stored in my 1Password vault.  If you forward these emails to your main email account, you defeat the security model.  Password resets generally happen via an emailed URL–you want to keep an attacker from getting access to this URL.

Now if someone gets into an account and learns you what email account is used for recovery they still have to compromise that system to get access to that email.  That's not easy.  They have to compromise the system enough to gain access to the actual password hash.  That means a compromised email account makes it easy to gain access to other accounts, but the reverse is not true at all.

Our last question is sharp, and one I've only considered recently.  "I've gone back and changed all my passwords.  It took me three days.  I noticed that all the sites seem to use the same security questions.  What's the point of working so hard on passwords if my mother's maiden name and my childhood pet are all that someone needs to change my password?"

In this age of social media, the answers to most security questions may be just a Google search and some clicking from discovery.  This is a powerful way to gain access to accounts, and to the reader's point it absolutely undermines our secure passwords.  What to do?


Don't give the actual data.  Instead, use your password manager to generate unique answers to these questions and then store the question and the answer in the notes of the password record.  For example, if the question is "What is your maternal grandmother's maiden name," set the answer to something like "why7vusp5spe5ja6zub" and save both with the password you created for that site.  I'm in the process of doing this for my accounts, starting with email, banking and healthcare and then moving to less vital accounts.

It's a lot of work to secure your digital identity, but it's much less work than recovering from a breach or identity theft.  Kudos to everyone who is doing the work.

Your Password Sucks and You Are Going to Get Hacked

Admit it: you basically have one password you use for everything.  Maybe sometimes you get clever and switch a number or two around.  Maybe you are really advanced and have two or even three different passwords you use in different places.  Whatever your password strategy, unless you have a completely unique password for every site and service you use you are a juicy target for fraud.

I know you're thinking, "It could never happen to me."  After all, how common are major site compromises anyway?  Today Sony announced that their entire PlayStation Network has been compromised.  This includes names, addresses, email addresses and password for every person with an account.  It may also include credit cards.  Here we see a non-academic danger of shared passwords.  If one of these hackers has your email address and a password, why not try that password to access your email.  Once they have access to your email, why not start using the "Forgot Password" function of different websites to start reseting your passwords to other sites, like Facebook or even your bank.  Of course, reseting those passwords isn't even needed if you use the same password everywhere.

Sony's massive failure of IT security clearly illustrates the need for unique, high-entropy passwords for every account you have.  The problem here is that good passwords are very difficult to remember.  A more secure password will contain more characters, and more types of characters.  For example:


  • "111" is a terrible password.  It's short, and is nothing but repeating characters of a single set.  It's also one of the most used passwords used because people can remember it.  That doesn't make them lazy or stupid.  It just means they think a short password they can remember is a gamble worth taking.
  • "JT3GJEYzLmd4<hq6^K{64F}L=pzRCg" is a terrific password.  It has lots of characters.  Those characters are diverse (lowercase letters, uppercase letters, numbers and symbols).  It's also basically impossible to remember.  Even if you could memorize it, do you think you could memorize a password of that complexity for every account you have?

So what do we do?  None of us wants to be a victim of identity theft or fraud, but we also can't mentally process the best, easiest solution we have to many common security vulnerabilities–unique, high-entropy passwords.

There was a time when I generated unique, high-entropy passwords for every account I used and memorized them.  For frequently accessed accounts, I also changed these passwords often.  As I've gotten a little grayer in the beard, I've lost that ability to commit so many complex passwords to memory.  In the last two years I'd fallen into the habit of reusing passwords.  They were good passwords, but a password isn't good anymore if it is reused.  Remember Sony.

I now use a tool called 1Password.  It's become as near and dear to me as my beloved Dropbox.  1Password is a an application that creates a secure. encrypted database to store information in.  The primary purpose is password storage, but financial data, software licenses and even notes can be stored.  When you use 1Password, you create and memorize one lengthy, high-entropy but memorable password.  From then on, you use 1Password to create and store your passwords for every other account you use.

1Password is flexible enough to handle the different requirements regarding password length and character set different organizations will mandate.  It's also easy to search and categorize these passwords.  1Password is available in Mac, Windows, iPhone, iPad and Android versions.  Best of all, you can use Dropbox to sync your password database across all your computers and supported devices.

Stop gambling that companies will protect your privacy and information.  Take matters into your own hands and try 1Password today.  You won't regret it.