Reader Mailbag: Passwords

My previous posts about passwords here and here generated a lot of emails, Facebook messages and even phone calls.  In today's post, I'm going to answer some of those questions. If you have a password question, just leave a comment below or use the contact form on this site and I'll try to answer it as well.  All these questions are being shared with permission from the person who wrote them.

Password image

Here's the first question: "After reading your password post I downloaded 1Password.  It was hard to figure out how to make passwords but once I did I noticed my bank won't let me create a good password (1Password colors it yellow).  Is my account safe?"

Great question!  I have noticed a disturbing trend with banks, insurance companies, payroll processors and similar sites to have really poor password policies.  These sites have access to some of our most sensitive data and you would expect them to have password policies that allowed very secure passwords.  Instead, you often find that passwords must be at least 6-8 characters with a maximum of 12-16, and very few special characters are permitted.  Of course, this means such a password is much lower entropy than the passwords a password manager can produce and manage.

Part of this is based on the laws and change management systems that banks and health organizations have to follow.  It takes a long time and a lot of work to certify an authentication system in these industries.  Also, in the case of banks your account is monitored much more closely than a typical web account for abnormal activity.  That said, I believe these industries should modernize their password policies.

Now, how do you protect yourself on sites that won't take good passwords?  I tag all my weaker passwords with the term "quarterly."  If you don't use 1Password, you could do something as simple as making a list of these sites by hand.  Whenever it's the first day of a new season, I change all these passwords - given bad operators a smaller window to compromise my account.

Several people asked a variant of this question: "I created a good password that I can remember.  Is it safe for me to just add something to the end of this password for each site I use to make it easier to log in?"

In one case, I was actually emailed the password for examination!  This brings me to my first point: don't share your password with anyone, and never email a password.  Email is transmitted in plain text, and it is possible to intercept emails in some cases.  Don't email passwords.

Now, our goal is to have better password practices, not perfection.  By creating a passphrase with high entropy you've already made yourself a less attractive target. With that said, I think it's a bad idea to reuse any portion of a password.  Remember, you don't know how a given company or website will store your password.  It's possible they are storing it in plain text, or encrypting it in a way where it can be converted to plain text with a key.  If that site is compromised and they gain access to your passphrase it can be used as the basis for an attack on your other accounts.  Suddenly your security is reduced to those extra digits–which are probably shorter than a normal password.

I like the thinking, but you are better off using a password manager and completely unique passwords.

Now a question about email & passwords: "you mentioned you have an email and password for every account. My iTunes and gmail are the same email. One time I logged into my iTunes account and saw all my contact and billing info had been switched to some random other person. No charges every appeared on my card and went ahead and changed my password for both accounts. 

But if I were to create a ----itunes@gmail (for example) could I forward those emails (iTunes receipts etc) to my ----gmail@gmail account. Or is that safe? I'm assuming if a hacker got into the iTunes account they'd see the forwarding/backup email and start hacking it..."

I mentioned that I create unique email addresses for password recovery for critical accounts.  I do this because most sites use email as a mechanism for restoring account access for lost passwords.  If you have one email address and all your accounts use it for recovery, that email account becomes a single point of failure in your security chain.  Even worse, in this age of mobility someone doesn't need your password to get your email.  Your unsecured mobile phone will give them all the access they need.

That's why I create a dedicated email account for each service I use that has the power to charge my credit card.  Each of these email accounts has a unique, strong password.  All of them are stored in my 1Password vault.  If you forward these emails to your main email account, you defeat the security model.  Password resets generally happen via an emailed URL–you want to keep an attacker from getting access to this URL.

Now if someone gets into an account and learns you what email account is used for recovery they still have to compromise that system to get access to that email.  That's not easy.  They have to compromise the system enough to gain access to the actual password hash.  That means a compromised email account makes it easy to gain access to other accounts, but the reverse is not true at all.

Our last question is sharp, and one I've only considered recently.  "I've gone back and changed all my passwords.  It took me three days.  I noticed that all the sites seem to use the same security questions.  What's the point of working so hard on passwords if my mother's maiden name and my childhood pet are all that someone needs to change my password?"

In this age of social media, the answers to most security questions may be just a Google search and some clicking from discovery.  This is a powerful way to gain access to accounts, and to the reader's point it absolutely undermines our secure passwords.  What to do?


Don't give the actual data.  Instead, use your password manager to generate unique answers to these questions and then store the question and the answer in the notes of the password record.  For example, if the question is "What is your maternal grandmother's maiden name," set the answer to something like "why7vusp5spe5ja6zub" and save both with the password you created for that site.  I'm in the process of doing this for my accounts, starting with email, banking and healthcare and then moving to less vital accounts.

It's a lot of work to secure your digital identity, but it's much less work than recovering from a breach or identity theft.  Kudos to everyone who is doing the work.

More About Passwords

I bet you hate passwords.  It seems like everything you want to today use has a password.  Passwords are hard to remember.  When you think you have a good one, someone asks you to change it.  Passwords suck, and because they suck people hate to think about them.  In most cases people end up selecting a password or two that they can remember, and they reuse that password as much as possible.

But think about how much of your life is digital today–your memories, your social interactions, your communications, your work and your money.  If someone gets your password, how much of your life can they wreck?  What could you lose?

Try this.  Go to this website and test some passwords you use.   I bet you'll be shocked how fast your password would fail under modern password cracking attempts on modern computing hardware.  Now think about the companies that have had password database leaks recently.  Sony.  LinkedIn.  Think about how many sites you create an account on that you really don't know anything about.  If they've made security mistakes in their systems, someone can use their system to get your password.

Once someone has your password they can get into your email.  If they have access to your email, they can change your other passwords.  They can log into your online banking system and transfer all your money.  They can steal your identity and run up credit bills in your name. Ars Technica has a great article on modern password cracking and how quickly most passwords can be compromised.

Passwords matter.  Even though the username password system is flawed, it's all we have in most cases today.  That means it's up to you to make the best out of a bad system.  How?

  • Pick strong, unique passwords.  Password generators can be helpful here.  It's best to generate passwords by some truly random means (like Dice) but using a software generated password is much better than what you are likely using now.  Here's a link to a password generator I like:
  • Don't reuse passwords.  Have a different password for every site or service you use.  I know that sounds hard, and it should.  Most people can't remember dozens of passwords.
  • Use a password manager.  Let your computer do the hard work for you.  Lastpass has a free version, and 1Password  is excellent.  Just make sure you secure these systems with a strong, unique password as shown above.

Using the approaches above you can become a frustrating target for password crackers.  Since so many people select really poor passwords, most crackers aren't going to waste time trying to crack a password that takes months, years or even longer to crack.

The only person that can secure your digital life is you.

Apple/Amazon got you spooked? Here's 6 ways to protect your data.

While much has been written about the recent social engineering exploit affecting Apple and Amazon, and some potential solutions have been proposed, we remain in a poor information security environment today.  Traditional credentials are still the primary way that people access systems.  People pick a username and password combination and then reuse it as much as possible.

This is a picture of a broken lock.

Password security is based on entropy, and passwords with greater entropy are hard for people to remember.  Even I have written about selecting and securely storing unique, high entropy passwords.  Apple and Amazon's recent issue makes it clear that even people who adopt good password policies are still vulnerable to attack.

So, while the nerds work on more secure, more human friendly forms of authentication, what are we do do?  How can we protect our own information and privacy in an age where so much of our lives are "in the cloud?"  These tips will help you secure your personal computing environment.

  1. Pick a different, strong password for every site or service you use.  Ideally, use a password generator instead of your mind.  1Password and LastPass are both good solutions for automating this and make it easier to do passwords right.
  2. Dont forget your computer.  Make sure you have to enter a password to use your computer.  Consider using full disk encryption.  Your computer is connected to the Internet and is a potential vector for attack.  Give your account a nice, strong password.  Be careful what software you download, and what emails you click.  Malware with key loggers or phishing attacks via email are common ways that even good passwords are compromised.
  3. Use a pin code on mobile devices.
  4. Use two-factor authentication when it's offered.  My Facebook, Steam, PayPal, Blizzard and other accounts all have a way to give me a time limited code to add new devices to those accounts.  This adds additional security against compromise.
  5. Backup your data.  More than once.  I use Apple's Time Machine and CrashPlan, in addition to Dropbox.  Time Machine gives me a local backup that is completely in my control.  CrashPlan makes sure my data is offsite in the event of fire, theft or other disasters.  Dropbox is not a backup solution, but it means I have multiple copies of my current working data.
  6. Encrypt sensitive information.  I keep financial records in encrypted disk images.  I keep personal information locked in 1Password.  Even if Dropbox, Crashplan or an email provider i use is compromised, an attacker still won't have access to my most private information.

Doing some of these things will make your computing experience less convenient, but you gain considerable resistance to attack by following these simple measures.  When you have multiple backups, an attack is easier to recover from.

It's a jungle out there.