From the Canyon Edge: December 2010

Tuesday, December 14, 2010

So Many Passwords...

Courtesy: http://xkcd.com/792/

Yesterday, there was an announcement that hashes Gawker Media's account passwords had been compromised and published on the internet. I had never heard of Gawker Media.

Whoa, sucks for them!

A few hours later, I received an email from LifeHacker saying that its accounts are actually managed by Gawker and that there's a chance that my account might have been compromised.

Dang, sucks for me :-(

So I spent some time thinking about it, and I've decided I'm going to take a new approach to passwords and my hundreds of disparate accounts on the web...

The Code

I am going to use even stronger passphrases for each of my primary accounts.
I am going to always use different passphrases for each of those primary accounts.
I am going to memorize each of those passphrases from (1) and (2).
For all secondary accounts, I am going to use unique, randomly generated passphrases, perhaps created like this:
```
apg -a 1 -m 15 -M SNCL -n 1 -c /dev/urandom
```
I am not going to memorize any passphrases for secondary accounts. Rather, I will entrust my browser to save those passwords (which are stored in my encrypted home directory). I will use a password reset function any time I lose or forget or clear that database.
I will maintain ~/.passwords.gpg -- an encrypted text file with all of my accounts and passwords, and use the gnugpg.vim plug to securely edit the file.

(1), (2), and (3) are really no different for what I do now.

(4), (5) and (6) are what's really new to me. As of now, I'm separating primary and secondary accounts. I won't even attempt to remember passwords for the hundreds of secondary accounts out there. I'll randomly generate new passwords for each, cache that in my local application (which I believe is better protected), and just reset those passwords as necessary.

Definitions

Primary accounts - the few things that I need or else I'm unable to get work done, or access other critical data (e.g. Gmail, Launchpad/Ubuntu SSO, ssh, gpg, eCryptfs)
Secondary accounts - everything else that has a password reset function and can be securely and locally cached in a browser's (or other application's) saved password database (e.g. Facebook, LinkedIn, Twitter, my banks, et al.)

Using the above, I will:

Minimize the number of passphrases I have to remember.
Strengthen and diversify the passphrases to my few primary accounts.
Eliminate the possibility of any passphrase being cracked by brute force.
Consolidate the risk of any one passphrase being stolen to that account alone.

Does anyone else have better solutions to these problems?

Cheers,

:-Dustin

About the Author

Dustin Kirkland (Twitter, LinkedIn) is an engineer at heart, with a penchant for reducing complexity and solving problems at the cross-sections of technology, business, and people.

With a degree in computer engineering from Texas A&M University (2001), his full-time career began as a software engineer at IBM in the Linux Technology Center working on the Linux kernel and security certifications, including a one-year stint as an dedicated engineer-in-residence at Red Hat in Boston (2005). Dustin was awarded the title Master Inventor at IBM, in recognition of his prolific patent work as an inventor and reviewer with IBM's intellectual property attorneys.

Dustin then first joined Canonical (2008) as an engineer (eventually, engineering manager), helping create the Ubuntu Server distribution and establishing Ubuntu as the overwhelming favorite Linux distribution in Amazon, Google, and Microsoft's cloud platforms, as well as authoring and maintaining dozens of new open source packages.

Dustin joined Gazzang (2011), a venture-backed start-up built around an open source project that he co-authored (eCryptFS), as Chief Technology Officer, and helped dozens of enterprise customers encrypt their data at rest and securely manage their keys. Gazzang was acquired by Cloudera (2014).

Having effectively monetized eCryptFS as an open source project at Gazzang, Dustin returned to Canonical (2013) as the VP of Product for Ubuntu and spent the next several years launching a portfolio of products and services (Ubuntu Advantage, Extended Security Maintenance, Canonical Livepatch, MAAS, OpenStack, Kubernetes) that continues to deliver considerable annual recurring revenue. With Canonical based in London, an 800+ work-from-home employee roster and customers spread across 40+ countries, Dustin traveled the world over, connecting with clients and colleagues steeped in rich cultural experiences.

Google Cloud (2018) recruited Dustin from Canonical to product manage Google's entrance into on-premises data centers with its GKE On-Prem (now, Anthos) offering, with a specific focus on the underlying operating system, hypervisor, and container security. This work afforded Dustin a view deep into the back end data center of many financial services companies, where he still sees tremendous opportunities for improvements in security, efficiencies, cost-reduction, and disruptive new technology adoption.

Seeking a growth-mode opportunity in the fintech sector, Dustin joined Apex Clearing (now, Apex Fintech Solutions) as the Chief Product Officer (2019), where he led several organizations including product management, field engineering, data science, and business partnerships. He drastically revamped Apex's product portfolio and product management processes, retooling away from a legacy "clearing house and custodian", and into a "software-as-a-service fintech" offering instant brokerage account opening, real-time fractional stock trading, a secure closed-network crypto solution, and led the acquisition and integration of Silver's tax and cost basis solution.

Drawn back into a large cap, Dustin joined Goldman Sachs (2021) as a Managing Director and Head of Platform Product Management, within the Consumer banking division, which included Marcus, and the Apple and GM credit cards. He built a cross-functional product management community and established numerous documented product management best practices, processes, and anti-patterns.

Dustin lives in Austin, Texas, with his wife Kim and their wonderful two daughters.

Tuesday, December 14, 2010

So Many Passwords...

Printfriendly

About the Author

Blog Archive

Github Activity

Google Plus

Twitter

StackExchange

Solar Output

Labels