“Hi, my name is jik, and I’m a password reuser.”
If there isn’t a “Password Reusers Anonymous”, there probably should be.
By “password reuse,” I mean using the same password over and over on multiple Web sites. It’s a really bad idea, and I should know that better than most, since I’ve worked on and off in the field of computer security for over two decades.
- Operators of a bad Web site could use users’ passwords to log on to other sites where the users have accounts. If you think this would never happen, take a look at how many credit-card skimming operations are perpetrated by store owners, waiters, etc. (including this one, which I personally got snared in through the use of my corporate AmEx card).
- An operator of the site could sell its database of email addresses and passwords to hackers, who could then use them to make large-scale attempts to break into accounts on other sites.
- Even without the cooperation of the Web site’s operators, a hacker could break into the site, steal the account database, and use it as described above.
- Many of these Web sites will email your password to your email account if you tell the site that you’ve forgotten it. If someone breaks into your email account, they can look at old messages to see what sites you have accounts at, tell one of those sites to email your password, and then use that password to log into the other sites you’ve used.
- If you are the kind of person who has to worry about keeping things private from family members, the problem above is even worse, since they can look in your browser history, not just old messages in your mailbox, to find out what sites you’ve visited and may have accounts at.
But the biggest problem by far, which dwarfs all the problems listed above, is: If your password is somehow compromised, then you need to change it on every Web site on which you’ve used it.
If using the same password on multiple Web sites is such a bad idea, then why do so many people do it? Simply put, because it’s easier to remember one password than it is to create and remember hundreds of them. And if you can’t remember them, then you need to write them all down on a list somewhere, and find a way to both keep the list secure and make it accessible whenever and wherever you need it. There are some available tools to make this easier, but the best ones cost money, and not many people are savvy enough to go looking for tools to handle this sort of thing.
I fell into the password reuse trap years ago, when data breach incidents were few and far between and tools for managing passwords didn’t exist. Old habits die hard, and I never broke this one. And so, since last week, when the password I’ve been using as my standard third-party Web site password for well over a decade was compromised (I will post later about how it was compromised), I’ve had to spend every available moment changing my password on over 300 Web sites. Believe me, it took a while.
In the process, I learned some very scary things about the state of password security on the Web. Sites that store passwords in plain-text, email them to you upon demand, limit passwords to insecure lengths or severely restrict what characters can appear in them, don’t support changing passwords at all, claim to support it but it doesn’t actually work… I saw it all, and I must say I was surprised. I’ll be shaming the guilty in a separate blog posting, but in the meantime, I want to offer the following advice to others:
- If you’re using the same password on multiple Web sites, then stop it right now. Really.
- One option to consider for limiting the number of passwords you need to remember is OpenID. However, it isn’t supported everywhere, so you’ll probably have to use a different approach in addition to this one. Therefore, it might not be worth bothering with it.
- Another option is to use a tool such as Sxipper or Mitto to manage your passwords. I’m not endorsing those two particular tools; they’re just two that I know about; you can find many more by Googling for “password manager.” I write a bit more about password managers below.
- The solution I ended up settling on was to classify the sites I use into three tiers — trusted, untrusted secure, and untrusted — assign a different type of password to sites in each tier (more on this below), and keep track of all the passwords in a file on my hard disk encrypted with GPG. This turned out to be somewhat easier than expected because the newest version of GNU Emacs (the text editor I use) knows how to handle “.gpg” files automatically, so it automatically prompts me for my GPG passphrase and decrypts the password file each time I load it into Emacs, and encrypts it automatically when I make changes and save it. I also use Sxipper with Firefox at home (but not at work) to reduce the frequency with which I have to consult my encrypted password file.
Password managers come in three varieties:
- Local — stores your data locally on a single computer and makes it accessible there only (sometimes for just one type of browser, sometimes for different types)
- Local with export — stores your data locally but allows it to be exported and copied to other computers and sometimes to other types of devices, e.g., SmartPhones. Might also allow the data to be stored on a thumb drive so that you can take your passwords with you simply by unplugging the thumb drive and plugging it into a different computer.
- Online — stores your data on a central server and makes it available to multiple computers, perhaps multiple types of browser, and perhaps different devices such as SmartPhones as well.
- Algorithmic — generates random passwords on the fly passed on a single “master password” and the URL of the Web site. See, for example, http://passwordmaker.org/.
The biggest advantage of a local password manager is that you aren’t trusting your data to someone else. Whether you are willing to trust a third-party on the Internet with all of your account usernames and passwords is something you will need to decide after carefully examining the provider’s security and privacy policies and documentation and then deciding whether you actually believe them. Anybody can claim that their servers are secure and their data is encrypted, but what if they’re lying?
The biggest advantage of an online password manager is that they (supposedly) back up the data for you, you don’t have to worry about losing it if you lose your computer, and it is extremely easy to use it from multiple computers and perhaps even different kinds of devices.
The biggest advantage of an algorithmic password manager is that there’s no list of passwords to store or copy between computers. The biggest disadvantage is that it will have trouble at sites with stupid restrictions on passwords, such as the many Web sites I list in my Password Security Hall of Shame. In my opinion, algorithmic password generators are a clever idea, but one that falls just a little short of good enough in the real world for people who use lots of Web sites. (Thanks to Robert Munro for bringing up this type of password manager.)
If you want to try a password manager, then first decide which type you’re comfortable using, then decide what features you want (Which browsers does it need to work with? Does it need to support your SmartPhone? Do you want thumb drive support? Do you want the data to be encrypted automatically? Do you want it to require you to enter a master password every time it authenticates you anywhere? Do you need it to let you export your data and import it elsewhere? Etc.), then Google for “password managers” and look for one that has the features you want. You may also wish to search for “password manager comparisons” and take a look at some of the results.
If you do use a password manager, then you need to either (a) keep track of your passwords outside of the password manager as well, e.g., in an encrypted file, and just use the password manager as a convenience tool so you don’t have to constantly look up passwords in the file, or (b) make sure that the data in the password manager is backed up regularly, and that the password manager will let you export all of your passwords in plain-text should you need to do so (e.g., when you decide to stop using the password manager), so you won’t get locked out of all of your sites.
As mentioned above, I divide the Web sites I use into three tiers, and I use a different method for choosing the password to assign to sites in each tier.
A trusted site is one which I use very often, which I believe stores passwords correctly (i.e., as cryptographic hashes), and which otherwise seems to have a clue about security. I decided to us the same password for all of these sites, but at the same time, I keep the number of such sites to a minimum to reduce my exposure and the number of passwords I’ll need to change if the password is compromised. Thus far, I’ve put only three sites out of more than 300 in this tier, and I maintain two of them ;-).
An untrusted secure site is one that I believe stores passwords correctly, but I’m not absolutely certain and it isn’t worth the effort of finding out. For these sites, I use an algorithmic password, i.e., I start with the same template password and then modify it based on the domain name of the site. For example, a simple algorithm (no, it’s not the one I use!) might be to take the first and last letters of the domain name and wrap them around the template, such that the template password “fRoOdLe5” and the Web site “www.microsoft.com” would yield the password “mfRoOdLe5t”. Algorithmic passwords make it unnecessary to remember different passwords for every site, and they increase security to some extent, because a hacker using a stolen password list to attempt large-scale break-ins on other sites probably isn’t going to take the time to look at all the passwords and try to figure out people’s algorithms. However, it doesn’t protect you very well from targeted attacks, so if you’ve got a roommate you don’t trust, I wouldn’t advise it.
An untrusted site is just what it sounds like. In some cases, I know for a fact that the site stores passwords in plain-text, and in others, I suspect as much or haven’t bothered to find out because I use the site so infrequently that it just doesn’t matter. For each of these sites, I use a program to generate a different ten-character random password consisting of eight letters plus two numbers. I had to make the password shorter than that at some sites which stupidly limit passwords to fewer than ten characters (ugh!).