From the Canyon Edge -- :-Dustin

Tuesday, December 14, 2010

So Many Passwords...

Yesterday, there was an announcement that hashes Gawker Media's account passwords had been compromised and published on the internet. I had never heard of Gawker Media.

Whoa, sucks for them!

A few hours later, I received an email from LifeHacker saying that its accounts are actually managed by Gawker and that there's a chance that my account might have been compromised.

Dang, sucks for me :-(

So I spent some time thinking about it, and I've decided I'm going to take a new approach to passwords and my hundreds of disparate accounts on the web...

The Code
  1. I am going to use even stronger passphrases for each of my primary accounts.
  2. I am going to always use different passphrases for each of those primary accounts.
  3. I am going to memorize each of those passphrases from (1) and (2).

  4. For all secondary accounts, I am going to use unique, randomly generated passphrases, perhaps created like this:
    apg -a 1 -m 15 -M SNCL -n 1 -c /dev/urandom
  5. I am not going to memorize any passphrases for secondary accounts. Rather, I will entrust my browser to save those passwords (which are stored in my encrypted home directory). I will use a password reset function any time I lose or forget or clear that database.
  6. I will maintain ~/.passwords.gpg -- an encrypted text file with all of my accounts and passwords, and use the gnugpg.vim plug to securely edit the file.
(1), (2), and (3) are really no different for what I do now.

(4), (5) and (6) are what's really new to me. As of now, I'm separating primary and secondary accounts. I won't even attempt to remember passwords for the hundreds of secondary accounts out there. I'll randomly generate new passwords for each, cache that in my local application (which I believe is better protected), and just reset those passwords as necessary.

  • Primary accounts - the few things that I need or else I'm unable to get work done, or access other critical data (e.g. Gmail, Launchpad/Ubuntu SSO, ssh, gpg, eCryptfs)
  • Secondary accounts - everything else that has a password reset function and can be securely and locally cached in a browser's (or other application's) saved password database (e.g. Facebook, LinkedIn, Twitter, my banks, et al.)
Using the above, I will:
  1. Minimize the number of passphrases I have to remember.
  2. Strengthen and diversify the passphrases to my few primary accounts.
  3. Eliminate the possibility of any passphrase being cracked by brute force.
  4. Consolidate the risk of any one passphrase being stolen to that account alone.
Does anyone else have better solutions to these problems?