Sunday, June 26, 2011

The New York Times' bad password advice - and what you should do instead

In the context of a site that claims to check passwords against a published hacker repository [1] Scientific American repeats the NYT's conventional wisdom about passwords and security ...

Observations: How to Know If Hackers Have Stolen Your Password:

... Is your email address listed in any of these databases? The New York Times reports on a easy-to-use web tool that a security professional has created that will check your email address against 13 different databases containing 800,000 email address/password combinations. Called, appropriately, "Should I Change My Password?", the site runs a simple search for your email in the known files. I checked my various emails, and fortunately, the tool didn't turn up anything amiss. But the site also gives some very solid advice: Change critical passwords regularly, and don't reuse the same password across multiple sites... [3]

This is bad advice. The fact that it's repeated ad nauseum doesn't make it any better. Schneier, the doyen of net security, debunked the conventional wisdom about 5-7 years ago [3]. Essentially, these six goals are not mutually compatible ...

  1. Use a password that's resistant to password-guessing attacks
  2. Change passwords frequently
  3. Don't reuse passwords
  4. Get stuff done (requires password actually working)
  5. Give your partner access to critical accounts, including those s/he will need when you kick off.
  6. Have a life

Given that most of us want to to get stuff done, and even have a life, what should a regular person do? Schneier hasn't summarized this recently, probably because he's become bored and discouraged, but I think he'd go with this list:

  1. Use as few online services and accounts as possible. The more identities you have, the more you need to secure. If you give up on AOL, don't just add Google. Delete the AOL account. If you can't delete an account (all too common a problem) [4] then remove all of your personal information and email credentials, change the password to 128 random characters, and log out. It's as good as dead then.
  2. Don't use important credentials (ex: Banks, Google, etc) on untrusted machines. Keystroke logger malware will defeat the world's greatest password. This includes work machines, anything running XP, and public machines. If you're running XP at home you need to switch to one of these platforms: iOS (most secure - iPad, etc), Win 7 with antiviral, or OS X 10.6+. [5]
  3. On your trusted machine (iOS, Win 7 w/ antiviral, OS X 10.6 plus) do use strong passwords [6] on the accounts you care about. Since you should only have a few accounts you care about, you may reuse your secure passwords. If you reuse, consider adding a prefix or suffix that permutes the password, such as "Google", "Fidelity", etc. Don't store your passwords digitally, write them down on paper in your wallet and in a safe place in your home.
  4. For the zillion accounts you don't care about, such as kid's baseball signup account, heavily reuse a robust password but assume it's public. Every year or two feel free to change it. Assume these accounts will be hacked -- but, really, who the heck would bother? There's no need to lock a shed that holds refuse! The trick here is that if you decide you do care about an account, you will need to give it a reasonably unique password.
  5. Try to avoid the damned "secret questions". They are a huge security risk. I don't have a good answer to these plagues. They are the technological equivalent of Michelle Bachman -- a sign that humanity is a passing fad.
  6. Use Chrome for your web browser. It's by far the most secure browser platform, and it includes its own firewalled PDF reader software.
  7. Don't install Adobe reader or Flash. They're notoriously risky. This is more practical on OS X, and is a big advantage of OS X over Windows 7.
  8. Don't install software that's not from a trusted source. This excludes, incidentally, most of the Android App Store.
  9. On OS X, don't login as an Admin user, login as a regular user. I believe this is also possible on Windows 7.

Phew. That's awful, isn't it? Things are bad. There is hope however ...

  1. Signed code is here with iOS (iPhone, iPod Touch, iPad and is coming to OS X [7]. This will dramatically decrease malware, including keystroke loggers.
  2. Multi-channel multi-factor authentication is here and one day be useable by people with a life.
  3. Identify management solutions are oozing out of the mire and will be built into future OS versions (iCloud, Android, ChromeOS)
  4. Biometric authentication will work ... one day ... maybe ...
  5. IP6, the next generation internet, enables new authentication and security technologies.

The above list of security guidelines is pretty bad, but they are doable by regular humans. Meanwhile, what about geeks who, after all, don't have a life to lose?

Here's what this geek does ...

  1. I do enter my Google credentials on my relatively untrusted work machine -- but I use Google's two-channel two-factor authentication while avoiding their vulnerable SMS channel. Because I do that I assume my Google password has been compromised -- so I don't reuse it. This is pure geek stuff; Google has worked hard on their two factor but it's still a pain in the ass to use. They need to work on their iOS apps in particular.
  2. I use 1Password on my iPhone and desktop. I need it as much to keep track of my usernames and the #$$!%!#$% secret questions as my passwords [8]. I don't love it, but it's the best solution I can find.
  3. I print out my and the family credentials periodically so Emily has an easily accessible set in case of emergency. The password stores are not user friendly.
  4. I don't trust the Cloud -- I don't store secret information on any Cloud service.
  5. I have settled on using Google for my OpenID/OAuth service provider because of their two factor authentication.
  6. Otherwise I follow most of the advice above. Today, after some equivocation, I removed Flash Player from my primary machine.

- fn -

[1] If it's legitimate, then the site runs a cryptographic hash function locally and compares the output to hashed versions of the password repository. I gave it an old disposable password, and to my surprise it didn't match anything stolen. I am pretty sure this site is legitimate, but it's a terrible practice to encourage civilians to enter their passwords for testing. At the very least, the site should be run by either the US government (think on that!) or by a corporation with a lot to lose.
[2] Before I went to the "two-channel" flavor of two factor. See below.
[3] For a full set of conventional wisdom, see Schneier on Security: Password Advice (2009): Note, if you don't read it carefully you think this is his advice. It's really the conventional wisdom.
[4] These days, before I sign up for anything, I check their account deletion policies. If they don't give me a clear path to account removal they don't get my business. See Gordon's Notes: Gordon's Laws for software and service use.
[5] Sorry, there's no nice way to put this. XP is finished.
[6] Schneier on Security: Choosing Secure Passwords (against an offline password-guessing attack) (2007): ".... a typical password consists of a root plus an appendage. A root isn't necessarily a dictionary word, but it's something pronounceable. An appendage is either a suffix ... or a prefix ... You should mix upper and lowercase in the middle of your root. You should add numbers and symbols in the middle of your root, not as common substitutions. Or drop your appendage in the middle of your root. Or use two roots with an appendage in the middle.... the seven-character phonetic pattern dictionary -- together with an uncommon appendage, is not going to be guessed. Neither is a password made up of the first letters of a sentence, especially if you throw numbers and symbols in the mix.... Personally, I just use Code Poetry's utility to run OS X Password Assistant and have it make me a memorable password.
[7] With robust Digital Rights Management and many other expected and unexpected side-effects. Unmitigated goodness is rare.
[8] I wrote a custom FileMaker credential management database back in the early 90s. I would prefer to use it on my iPhone, but FM is pretty much dead. Bento doesn't offer encrypted iOS databases.

See also:

No comments: