Tuesday, January 17, 2012

Taking passwords seriously

I used to use the same password everywhere. In 1993, I crashed a Clinton inauguration party at a restaurant in DC, and for years my password was a derivative of that restaurant's name. I'd read somewhere that it was a good idea to include numbers in your passwords, so I picked a number and my "standard" password became "restaurant#name". Sometime a few years later, I read that symbols were good too - so the stand-by became "restaurant[number]name[symbol]". Every time I set that as my password, the password strength meters measured off the charts: it used a number and a symbol, wasn't in the dictionary, and I was probably the only person in the world with that particular password.

But things began to get messy. Some sites didn't allow symbols. Others had a max character limit. As sites got more serious about security, some required mixed cases (some capitals, some lower case). Inevitably, my "standard" password became more like a template, with a half dozen derivatives. And it became increasingly hard to remember which site had which derivative.

Several years ago, I realized that one password to rule them all was probably a bad idea. After all - if someone got ahold of my nytimes.com password, they'd probably be able to log into Amazon, Gmail, PayPal and any number of other sites. I resolved to use a pattern that was site-specific. That was marginally better, but anyone who got ahold of my password at one site could probably figure out my password on other sites.

Then in December of 2010, Gawker was compromised, and the hackers didn't just publicize that they'd breached Gawker's servers, they published a file of all usernames and passwords. I had an account at Gawker, and as a result my password - and the simple pattern used to construct it - was available for the world to see. I'd read about password managers at the time, but thought that since I'd been able to survive for 15 years without one, I'd be OK just hardening my "standard" password. My new pattern incorporated the year, but now I had an even worse mess on my hands: I had dozens of accounts, and depending on when I'd last accessed them, a password that followed one of three possible patterns (with any number of derivatives). My method was falling apart. When 2012 arrived, it was clear I was toast. I couldn't have a year-dependent password pattern - did I open that account in 2011? 2012? Did I update it in 2010?

This weekend, Zappos's 24 million customer accounts were compromised (I was one of them). Though we don't yet know how broad the breach was, or whether the attackers will publish an account list like the Gawker attackers did, I didn't need another reminder. It was time to get serious about my passwords.

I asked people on Google+ and Twitter what they used to manage their passwords, and people overwhelmingly recommended two services - LastPass and 1Password. LastPass had a few more recommendations overall, so I started there.

First off, a quick summary of what LastPass is: you create a username and password with LastPass, and as you log into websites it asks whether you'd like to store those in your LastPass "vault". Once stored, each username and password is available to you wherever you can access LastPass - whether on your computer, on a guest computer, on your mobile device, etc. If you're creating a new account, LastPass can generate a very secure password - it won't be memorable, it isn't guessable, and it'll be unique to that site and your username. (I just asked LastPass to generate a new password, here's what it came up with: "kkVUI8nZ".)

With that in mind, here's what I did to get serious about my passwords. I'll warn you: this took a fair amount of time - easily 6+ hours in total over a couple days, and I'm not actually done (I keep thinking of more accounts to upgrade). That said, I am much happier with my overall security than I was going into the weekend, and as an added benefit I have a master list of every account I use on the Internet.

1. Set up a LastPass account. This username will be your master login for LastPass, and the password should be very secure, but one you can remember - if you lose it, you'll regret it. (It's not necessarily an "abandon all hope"moment, but it's close.)

2. Download LastPass Chrome extension. I use Chrome exclusively as my browser, and often jump from my MacBook Air to my Chromebook. LastPass has a Chrome extension that makes LastPass completely integrated with the browser, which made the next several steps much easier. (LastPass has integrations with IE, Firefox, Safari and Opera, so you should be good to go regardless of which browser you use.)

3. Install the Android app. The core LastPass service is free, but the premium service - for a whopping $1/month - means I can use their Android app to access my password vault directly from the phone. That's handy - especially with a number of mobile apps I use for banking and the like - and well worth the minimal cost.

4. Clear cookies and saved passwords, set Chrome to never remember passwords. This avoids me automatically logging into any site I visit (which is a nice forcing function to upgrade the password as I'm prompted to log in) and avoids Chrome and LastPass fighting over who gets to save the username/password when entered (I want LastPass to do so).

5. Upgrade passwords. I started a Google Spreadsheet to list all the accounts I could think of. I got to 30 pretty quickly, and after a few more minutes added another 15. But I knew there were more. I've used Gmail for all e-mail for the last six years, so I headed over to Gmail to find all the accounts hidden within. Here are some Gmail searches I used to find little-used and long-forgotten accounts, some of which had saved credit cards stored in them and other data that I'd like to protect:
  • to:me "new account"
  • to:me "new login"
  • to:me password reset
  • to:me receipt
  • to:me account confirmation
  • to:me username
There were other searches that were useful; you get the idea (and can probably think of others that'd produce additional logins). As I found a new site that had a login for me, I added it to the Google Spreadsheet. Within an hour, my account list was well over 100 logins.

Once I had the full list, I then opened a new tab and tried to log in to each site, one at a time. (I often couldn't remember which pattern derivative my password was for that particular site; if that was the case, I just clicked 'forgot password' and used that feature to reset my login.) Once in, I then chose the "change password" option, and used LastPass to generate a new, secure password. Upon confirmation of the new password being set, LastPass would ask if I'd like to save the new password in my vault - which of course I did.

6. Rinse, lather, repeat. As diligent as I was, I thought of another dozen accounts (college and law school alumni sites, couple other news sites, etc.) last night that I've added to the Google Spreadsheet and will tackle shortly. Though LastPass is now managing over 100 logins for me, I expect there are another 50-75 I have forgotten about that I will accumulate in the next month or two. (Update: since starting this blog post, I've found another 30. It never ends!)

7.  Turn on Google Authenticator support in LastPass. Last year, I wrote about best practices for keeping your Google Account secure , and spent a bit of time talking about 2-step verification. The premise is simple: with 2-step verification enabled, your username and password alone do not grant you access to your account. You need something else - in this case, a code that is visible only on your mobile phone - to get access. The idea behind this is that your phone is likely to be in your possession - and only yours - so that a bad actor who might have found a way to get your username and password would still be unable to get access to your account. LastPass works with Google Authenticator, which means that you'll only be able to unlock your password vault if you physically have possession of your phone - yet another layer of security that all but guarantees that you will keep prying eyes out of your private info.

As I got to accounts that I hadn't used in years, I thought hard about deleting the account - and in several cases did just that. If I kept the account, obviously it's ideal to upgrade the password to something more secure than my previous password. But removing the account altogether was an even more secure alternative - and I'll remember those services that make removing accounts easy for when I need a service like that again. Services that don't make it easy to delete your account shouldn't expect to see me ever again.

One final LastPass feature that I adore: sharing. Not all passwords that are in my name/e-mail address are mine alone. Our utilities, for instance, all have the ability to log in and review past invoices, pay bills, etc. but they require a single username/password to manage. Rather than make my wife remember one of these LastPass-generated passwords or rely on an insecure, memorable password, LastPass allows me to share a password with her through LastPass. This is no less secure, but far more convenient - and if we ever need to update the password, LastPass will manage the updates and ensure that we both have the current version.

Thanks to the many people who responded on Google+ and Twitter - I'm really happy with the outcome and only annoyed that I didn't do this years ago!


  1. While this sounds like a lot of work, it is something that everyone should do... including myself. I am one of those holdout people that just wants to keep on remembering passwords. What makes it works is that working on the IT side of things, my passwords multiply and expire constantly. I have my methods, but if I had only the external ones to remember, I think this service would be one I would use.

  2. If anything could make me feel paranoid enough about my password security to take some intensive steps it's this article. LastPass seems like a pretty good solution, and the free download is definitely a plus.



  3. @rklau, thanks for a great article. I just spent 60 hours over the last few weeks getting all of my many years of site, contact, and other information into LastPass. It has been arduous to say the least, but well worth it as well. This is just a first pass and I daresay I probably have another 60 hours to get everything organized exactly like I want, but this is a good first start. LastPass really is a lifesaver and the support staff are just awesome with lots of great support on the forums too. Finally, I just took my latest LastPass Security Challenge and have improved my rankings dramatically. I just cannot say enough good things about LastPass which is my go to app for everything. Again, thanks for a great article.

  4. I'm liking lastpass too. It's a great help for me, especially when I have to access both my personal and business accounts.