From the Canyon Edge -- :-Dustin

Tuesday, December 14, 2010

So Many Passwords...



Yesterday, there was an announcement that hashes Gawker Media's account passwords had been compromised and published on the internet. I had never heard of Gawker Media.

Whoa, sucks for them!

A few hours later, I received an email from LifeHacker saying that its accounts are actually managed by Gawker and that there's a chance that my account might have been compromised.

Dang, sucks for me :-(

So I spent some time thinking about it, and I've decided I'm going to take a new approach to passwords and my hundreds of disparate accounts on the web...

The Code
  1. I am going to use even stronger passphrases for each of my primary accounts.
  2. I am going to always use different passphrases for each of those primary accounts.
  3. I am going to memorize each of those passphrases from (1) and (2).

  4. For all secondary accounts, I am going to use unique, randomly generated passphrases, perhaps created like this:
    apg -a 1 -m 15 -M SNCL -n 1 -c /dev/urandom
  5. I am not going to memorize any passphrases for secondary accounts. Rather, I will entrust my browser to save those passwords (which are stored in my encrypted home directory). I will use a password reset function any time I lose or forget or clear that database.
  6. I will maintain ~/.passwords.gpg -- an encrypted text file with all of my accounts and passwords, and use the gnugpg.vim plug to securely edit the file.
(1), (2), and (3) are really no different for what I do now.

(4), (5) and (6) are what's really new to me. As of now, I'm separating primary and secondary accounts. I won't even attempt to remember passwords for the hundreds of secondary accounts out there. I'll randomly generate new passwords for each, cache that in my local application (which I believe is better protected), and just reset those passwords as necessary.

Definitions
  • Primary accounts - the few things that I need or else I'm unable to get work done, or access other critical data (e.g. Gmail, Launchpad/Ubuntu SSO, ssh, gpg, eCryptfs)
  • Secondary accounts - everything else that has a password reset function and can be securely and locally cached in a browser's (or other application's) saved password database (e.g. Facebook, LinkedIn, Twitter, my banks, et al.)
Using the above, I will:
  1. Minimize the number of passphrases I have to remember.
  2. Strengthen and diversify the passphrases to my few primary accounts.
  3. Eliminate the possibility of any passphrase being cracked by brute force.
  4. Consolidate the risk of any one passphrase being stolen to that account alone.
Does anyone else have better solutions to these problems?

Cheers,
:-Dustin

21 comments:

  1. Nice! I hadn't seen apg before. I'd probably bump -m up to 15 for fun, and add -M SNCL for some variety, though some sites really don't like the special characters. :)

    ReplyDelete
  2. Thanks, Kees.

    I have updated the snippet above to reflect those suggestions.

    And you're right about different sites having different requirements. For those, you might have to adjust the apg arguments accordingly.

    Dustin

    ReplyDelete
  3. LastPass for your minor accounts (although I wouldn't categorize a bank account as minor).

    ReplyDelete
  4. Use something like LastPass to generate secure random passwords for everything, then keep those synced across all your computers and browsers. Make sure to use two-factor authentication. I use the Yubikey, but grid-based auth is okay if you don't wanna pay anything.

    ReplyDelete
  5. http://pthree.org/2010/09/21/password-cards/

    ReplyDelete
  6. Use OpenID where possible... Gawker sites like Lifehacker accept OpenID... we need more people using it to make more sites feel comfortable using it and believing people will actually use it to take the time to use it. Your Google and Launchpad accounts are both OpenID Providers already.

    ReplyDelete
  7. Why not use a password manager such as KkeepassX? You can sync your database across multiple computers with dropbox or ubuntu one, and there even is a client for android or iOS.

    ReplyDelete
  8. You really consider your bank accounts "minor"?

    ReplyDelete
  9. Lots of questions about considering my bank accounts minor...

    They're "minor" because I'm not logged into them all day, every day, like Gmail and Launchpad, etc. When I reset my password of some other site, I don't have to log into my bank account site to see what the new password is.

    In any case I'm updating the text above to say "primary/secondary" rather than "major/minor".

    ReplyDelete
  10. I feel your pain when the day comes that you lose your firefox password history.

    Perhaps you should keep them else where as well?

    ReplyDelete
  11. I am similar, but I also have a third section: "sensitive". This is paypal, bank accounts, amazon etc... anything to do with money really.

    They get really long complicated passwords (generally 20 characters), are not saved in browser, and are saved in an encrypted keepassx file.

    ReplyDelete
  12. You might be interested to read a little bit more about how the breach of security happened. It's quite clear that Gawker is employing some seriously incompetent folks, but they're trying to tell us that if we had secure passwords, they'd be harder to crack, as if it's our fault.

    There's a very good article about the whole fiasco on Forbes: http://blogs.forbes.com/firewall/2010/12/13/the-lessons-of-gawkers-security-mess/

    The chat logs are particularly infuriating.

    ReplyDelete
  13. I remember only a few primary passwords (login, GPG key...), then for everything else I generate unique random passwords and store them in a GPG-encrypted file.

    I use a helper to securely query my passwords (that prompts me for my GPG key) and use gnupg.vim to edit the file.

    I only let the browser store passwords to non-sensitive websites that I visit often.

    ReplyDelete
  14. Rather than trusting the browser to remember all of your passwords (what if you are on a different machine etc), or going with one of those solutions which tries to synchronise your passwords everywhere, you can just make your secondary passwords a function of the domain name you use them on, and a secret you remember.

    As an example. If I wanted a password for amazon.com, I could do:

    domain: "amazon"
    secret: "shhh"
    md5(domain, secret) = md5("amazonshhh") = "adf41b7b9819627c9c4d5c49ad4dda4e"

    Then interleave letters and numbers

    "a4b7b9c9c4d..." (for some nice length)

    Finally, because you will get some places that say "your password couldn't possibly be secure if it doesn't have a capital letter in it", alternate case for all the letters:

    "a4B7b9C9c4D..."

    Now you can still trust your browser's password saver, but you can also derive your password without any fancy software (and I'm sure you will be able to find a javascript md5sum somewhere that works purely client side)

    On the topic of bad validation, your blogging software wouldn't let me post as using a name/email, claiming there was an invalid character in the url. It was of the form "[a-z]*-[a-z]*@[a-z]*-[a-z]*\.com", which seems fairly reasonable.

    ReplyDelete
  15. http://www.passwordcard.org/ have already been mentioned, but I'm giving my +1 on that. Coupled with http://www.clipperz.com/ it makes a great combo.

    ReplyDelete
  16. Dustin,
    Please consider changing the status of your bank accounts to 'Critical' for the article so that people don't follow your lead.

    Someone hacking into my Gmail account is going to be a pain: someone stealing my family fortune is life changing!

    ReplyDelete
  17. http://www.yubico.com/yubikey

    ReplyDelete
  18. Thank you for your excellent post. Since I will probably have to make the same a few adjustments. Since the weekend is indeed saved;-)

    ReplyDelete
  19. Two comments and a question…

    - For people who prefer Gedit to vim, the package 'seahorse-plugins' allows encrypting/decrypting text.

    - Chromium (at least 10.0.642.2) seems to put saved passwords in the login keyring, which is stored in ~/.gnome2/keyrings/login.keyring and can be viewed in Seahorse. This would obviate putting your "secondary" passwords in ~/.passwords.gpg …but perhaps you use Firefox.

    - Suppose you want to log in to LinkedIn from someone else's Window's computer—would you temporarily reset your password, then reset again once you got back to your own machine? What would you use instead of apg, which would not be available in this situation? Or is this not a common occurrence for you?

    Also, thanks for pointing out apg before I wasted time duplicating it for myself!

    ReplyDelete
  20. I had not seen KeePassX before, but the program revelation is perhaps similar and is also very useful.

    ReplyDelete
  21. @the-new-andy: That's exactly what Pwdhash does. I'm using Pwdhash for a long time now and all i need to remember is one password.

    ReplyDelete

Please do not use blog comments for support requests! Blog comments do not scale well to this effect.

Instead, please use Launchpad for Bugs and StackExchange for Questions.
* bugs.launchpad.net
* stackexchange.com

Thanks,
:-Dustin

Printfriendly