Monday, September 26, 2016

Make your online passwords stronger and safer.

Data breaches revealing the personal information of millions continue unabated. This trend shows no sign of slowing. But, there are steps you can take right now to reduce your risk.

Before rushing off to change all your passwords, though, make an informed plan of action. Understand the risks you face, how you can reduce that risk, and how you can best prepare for the day when, no matter all your best efforts, you still fall victim to the next hacker attack.

Note: This post contains a lot of information and advice. I strongly encourage you to read it. But, if you're in a hurry and would just like to review the recommendations, scroll ahead to Section 4, "TL; DR (Too long; Didn't read)".

1. Know your risk. What makes your password unsafe or vulnerable?

Passwords can be weak, vulnerable or both. A password is weak based on its intrinsic properties - length, characters used, recognizable or personal content. A password is vulnerable based on how it is created, used and stored and how long it remains in use. To make your passwords better, they should be both strong and less vulnerable to attack.

What makes for a strong password changes over time. Nowadays, there are applications to help us create strong passwords. I'll talk about one of those apps, Password Safe, below. Making a password less vulnerable is more complicated, though. In truth, you are probably better off assuming no password is ever totally invulnerable. Any password can be divulged or leaked. The odds are sooner or later it will be. No matter how much effort goes in to crafting a strong password, it takes but one careless web site admin or poorly written app to store or access that password improperly.

So, as we create our plan to make our passwords better, we need to keep these points in mind. Most of us are probably ...

1. maintaining more passwords than we think,
2. using weak passwords,
3. reusing passwords for multiple sites,
4. using passwords we've used on sites that have been hacked,
5. using passwords we've never changed, even for months or years,
6. associating our passwords with User IDs that identify us, such as email addresses.

The more of these factors that apply to you, the greater risk you face. Although it might not seem that big of a deal to have someone hack your password to an online store, the risk rises dramatically if you've saved online payment credentials, your User ID is your email address or if your password matches the one on your bank's online account.

Now let's look at some practical steps to reduce your password risk.

2. Reducing the risk. Practicing good password hygiene.

First, create a list of online sites where you have active accounts with passwords.

Our passwords protect not just information, but access to valuable assets. So, the first step to reducing risk is to create and maintain an online account inventory, so we know what our exposure is. This is simply a list of all the sites where you've created an online identity with a password. As you set out to do this, you may be surprised how many there are. Don't forget to consider the following:

Banks, credit unions, mortgage or other debt-collection agencies,
Financial advisers, online investment accounts, stock-trading platforms,
Insurance companies, health plans, doctor or dentist offices,
Home security and/or service warranty providers,
Auto dealers and service centers, retail stores,
City government sites, electricity, gas and phone utilities,
State departments of motor vehicles, tax and/or licensing agencies,
Federal agencies (IRS, Social Security), legal service providers,
Mobile and Internet services, subscription-based content providers,
Online news publishers, print and media sites, sports or event ticketing agencies,
Restaurants, hotels, car-rental agencies, travel reservation sites,
Schools, colleges, universities, alumni associations,
Social media sites, email accounts, forums, bulletin boards, chat rooms.

As you make your list, do not include current passwords. Just make a list of sites. You don't even need to note the web addresses, since these may change. Don't worry if you can't think of them all. Keep returning to the list as you remember more.

Many of you may want to keep this list online. That is fine. But, I don't like to keep this list on my computer or phone. I maintain my list in a notebook that I usually keep with me. If you are worried about losing it, make a copy. Include a contact phone number if the site is a business. If you lose your computer or phone and worry about someone gaining access to your accounts, you can quickly retrieve this list to contact your bank and credit card issuers. Whenever I create an account, I make a note of the User ID I used and the name of the company or service. If the web address is not obvious, I may note that too.

Secondly, maintain a separate list of secure passwords.

In the same notebook, starting from the last page, I maintain a list of secure passwords that I add to over time, but never reuse. Start with a list of about 20 of them. To create them, I use Password Safe. This application can also maintain an encrypted database of all your passwords too. But, I don't use it for that. Reason is, if the master password for my database is ever compromised, I've just revealed all my passwords. Also, I don't want to risk losing access to my passwords if my computer is lost, damaged, or becomes subject to ransom-ware.

One of the features of Password Safe that I like is that I can specify the parameters of my passwords, such as minimum length, whether to include numbers and special characters, etc. On the same screen that I use to set my password policies, I can also test the algorithm to generate as many passwords as I like.

When you automatically generate passwords, avoid using XKCD-based passwords - passwords that combine several, small, well-known words. Hackers have developed tools to rapidly attack this kind of password.

Once you have generated and recorded a list of strong passwords, you can assign them to the sites where you have active accounts.

Third, relate your passwords to your accounts.

For each of the passwords you have generated, select a site that you entered in your notebook. Next to the name of the site, indicate which password is selected, but not by writing the password itself. Use a technique of your own invention that is not obvious. One way to do this is by indicating only the third and fifth character of the chosen password. Another way may be by using a page and line number combination. The point here is that only you should be able to quickly deduce which password you have assigned to each site. 

Fourth, update your online passwords.

Now with your sites and strong passwords defined, you should proceed to change the passwords themselves on each site. At first this will take some time. But, it isn't necessary to change all of them at once. But make sure that you assign strong passwords to each of them as soon as you can, though.

I suggest that every 3 to four months or so, you should repeat the process described above, creating new passwords and assigning them to your online sites. Remember not to reuse any password used before. And, never use the same password for more than one site.

You may find that some sites have more restrictive rules for passwords, disallowing some characters in your generated passwords. If this happens, you can revise your password generation settings to comply with more restrictive sites, or choose another secure password from your list that is compliant. Avoid manually altering a generated password just to fit a site's rules.

You may find that more and more sites are grading your passwords as you enter them, indicating how strong they believe your password is. This is fine, but know that all sites do not use the same techniques. One site may consider a password strong while another only regards it as moderate.

If the site allows you to enter a password hint to help you remember a forgotten password, my advice would be not use this feature if possible.

Avoid the temptation to replace a strong password with a weak one if you are in a hurry. It will take you more time, in the long run, to have to go back and update the password again later on. Keep your list of strong passwords such that you have some ready to use and assign to sites when you need them.

To summarize, here are some pros and cons of the approach described above:


- Uses only strong passwords created by a consistent algorithm.
- Change passwords on a regular basis in case of breaches that go unreported.
- Limits risk by avoiding the use of any one password on more than one site.
- Keeps passwords and sites away from malware, especially ransom-ware.
- Decreases the likelihood of your password list being copied many times.
- Gives you ready access to passwords, sites and contact info in case of device loss.


- More labor-intensive than less-secure methods.
- Requires maintaining a backup copy in case of loss.

3. Preparing for disaster.

Sooner or later, one or more of the sites you use will likely fall victim to a hacker who gains access to some of your information stored on that site. Remember, this is not your fault. And, it likely has nothing to do with your password. Hackers will usually be able to foil the information security measures of an entire site more easily than they can brute-force attack a strong password. Even so, there are steps you can and should take to be ready for this when it happens.

First, remember to backup all of your important information on a regular basis. 

Second, when setting up an online account, try to use a User ID that is NOT your email address. User IDs are often not stored encrypted. And knowing your email address gives hackers far too much information to use to try to gain access to your accounts on other sites. If the site requires the use of an email address, consider finding an alternate service provider. Or, as a last resort, create a free "burner" email address for use as the User ID for this account only.

Third, when you setup a new account, practice changing your password on that site. If the password-change process itself is insecure, don't use the site! Examples of an insecure password-change process include sites that email your new password to you, allow you to retrieve a forgotten password without having to enter any verifying information, and password-change screens that are not using a secure protocol (e.g. https).

Fourth, if you sign on to a site only because you have to make a regular online payment, consider enrolling in an auto-payment mechanism if possible. This will reduce the number of times, overall, that you have to enter authentication information online, reducing the opportunities that your online traffic may be intercepted.
Fifth, keep an eye out for suspicious-looking emails claiming that your account has been compromised and that you need to take immediate action by clicking a link. This is often a phishing attack and will direct you to a forged site collecting login information. Always log on to your sites using their standard web address that you type in to your browser yourself.

4. TL; DR (Too long; didn't read!)

You're in a hurry. I get it. Hopefully you can return later to read my thoughts above. Here is a summary list of tips I've discussed in this article. I hope they are helpful for you!

- Make a list of online sites where you have a password-protected account.

- Use a software tool such as Password Safe to generate strong passwords.
- Associate strong passwords to your list of sites in a way only you understand.
- Consider maintaining your password lists offline, if practical.
- Update your online passwords at least every three to four months.
- Never use a password for more than one site.
- Never share a password with another person.
- Never hurry to change an expired password. Always stick to the use of strong passwords.
- Avoid sites that have insecure password-change procedures.
- Avoid sites that require using an email address as a User ID.
- User "burner" email addresses if you absolutely must use one as a User ID.
- Avoid using password "hints". Never use a "hint" that is or contains the password itself.
- Use password "managers" with caution - note the risk of a "master" password.

- Setup auto-pay for accounts that you only use to make regular payments.
- Stay alert to "phishing" scams advising you to click a link to change your password.
- Regularly backup your important data.