logo

A Much Needed Online Security Review

For a long time now I've been planning a review of my online security. The approach I had, which was once an adequate solution to my needs, is now fundamentally flawed and open to abuse.

The Old Approach

The old approach was simple but also overly-complicated and hard to manage. It involved an assortment of email addresses and a set of three passwords of increasing-strength.

Site Email Address/login Password
Online Banking, PayPal etc Something @ a domain I own Strongest
IBM.com, Adobe.com, Twitter etc jakehowlett@ a free email domain Medium
Sites I have little interest in but have no choice but to register for Free email address I have access to but never check Lowest

Although I rarely remembered exactly which combo worked on which site it never took much guessing to gain access. As time went on though I found myself in situations where the medium-strength password was used on sites like Amazon.co.uk, which remembers my credit card details for me. So I found myself changing the payment-linked sites to use the strong password as well as on sites like LinkedIn.com and Twitter.com which I considered "important".

Before long my strongest password was being used all over the place. Anybody who could find it out for one site could access them all (as well as my email accounts). This made me uneasy. Especially as the password I call my "strong" one would be rated medium by most password generators.

Another down-side to this approach is that I've ended up with so many email accounts I now rely on. The idea was once that I'd give out address like @Yahoo so that, should they fall victim to over-spamming, I could move elsewhere. Nice idea, but once you give out that Yahoo address to dozens of sites, letting it go isn't quite so simple.

The New Approach

Now that email to codestore.net, rockalldesign.com and jakehowlett.com is all sent to Gmail I no longer need to worry about spam, as it does such a good job of handling it. It's time to let go of the free email accounts for everything but testing email during development and for sites I don't trust.

As for passwords, the new approach hinges on the fact that most of my online activity takes place from one PC (my laptop). It's very, very rare that I login to the likes of Amazon, Ebay or whatever from anywhere but my laptop. With this in mind I realised I don't need to use the same password but can use software like 1Password to generate and store ultra-strong passwords.

So, I've started changing passwords on all sites, starting with those that I consider important and/or those that have my card details stored. These new password are generated using 1Password and look like the following:

rv2s7sdlgNorN, 9uJWLg53!/-/J, o53k/=b>w2Maj (these aren't my actual passwords ;-)

Each site I am a member of has a different password. The fact I have no hope of remembering them doesn't matter as 1Password does that for me. The only password I need to remember is the master password to get in to 1Password's vault and the password for the email accounts registered with each service.

If ever I really, really had to login to one of these sites from outside the house then all I need is access to my email inbox so I can use the "Forgot Password" reminder process to gain access.

It's going to be a long drawn-out process reviewing every site I've ever registered with. By the end of 2011 I hope to no longer be using my free email accounts day-to-day. If by the end of next year I've not had an email from or cause to login to a website then I'll consider it no longer necessary. By then I will no longer be using the old "strong" password

I know what you're thinking. What if my laptop gets stolen? Well, the password are encrypted and the the master password is what I'd consider unguessable by anything but a sustained attack. But what about losing my passwords? Well, 1Password does a daily backup to my NAS server, so that's covered.

I'd be interested to hear what your approach is and if you think the above approach is in any way flawed?

The quest for a simple life online continues...

Comments

  1. I was thinking about this same issue, after reading about this attack: http://lifehacker.com/5712785/

    My current approach is exactly the same as your now old one and I'm going to start changing my passwords too. As I was starting to search for new (and better) ideas for password management, your post appeared on my google reader with a possible solution. I like when these things happen. :)

    Thanks for sharing.

      • avatar
      • Jake Howlett
      • Mon 13 Dec 2010 09:33 AM

      It's a funny old world.

    • avatar
    • Dragon Cotterill
    • Mon 13 Dec 2010 10:13 AM

    It may be because I work in the security world, but I am pretty anal when it comes to this sort of stuff.

    I have 26 separate passwords. Each one starts with a separate letter of the alphabet. Each are 8 to 10 characters in length, and comprise of "random" letters.

    I say "random" because they are actually a phrase. For example if I registered on a website that started with the letter 'E' (Expedia? EBookers? EBay?) I could use "egtmcnqgthohn". This phrase could stand for something completely esoteric such as "Egbert Gulliver Throgbottle MacFarquarson could never quite get the hang of his name". (It's not my real 'e' password, but you get the idea).

    Throw in the odd shifted letter and a swap for numbers (e->3,i->1 etc.) and it seems pretty random.

    Unless you happen to be me, and understand what the mnemonics are.

    And these are just my general usage passwords. My VISA and MasterCard ones are even more obscure.

    Told you I was pretty anal about these things.

      • avatar
      • Jake Howlett
      • Mon 13 Dec 2010 10:15 AM

      And you remember all of these in your head?

      Show the rest of this thread

    1. It is often advised that you should replace certain letters in your passwords with numbers or special characters like 3 for e etc.

      If I would be a cracker I would program my brute force tool to search especially for these combinations, would I not?

      Show the rest of this thread

  2. I used to work for a now out of business electronics retailer, back when corporate email was on home grown mainframe software. Passwords were randomly generated for us and were "strong". Fortunately, they were only 6 characters but they were usually along the lines of xw62pq. To remember these, I made up short phrases which only were needed for the first dozen logins and then I had it down. Like with above, "x-wing 62 pretty quaint" would do the trick.

    So rv2s7sdlgNorN might go something like "right, very 2 saturday 7 sit down log Nordic North"

    It doesn't make any sense but you can maybe see that repeating it in your mind a few times makes it very memorable.

    I say this because it's the approach I try to use without the aid of something like 1Password (thanks, btw, for informing on its existence) so that I can (because I have to) log in from any one of 5 or 6 machines to various sensitive accounts.

    1. May Alzheimer's disease never hit you...

      Joking aside, I fear the day my memory will let me down as I too rely way to much on it.

    • avatar
    • Doug
    • Mon 13 Dec 2010 05:32 PM

    I have a password structure that allows me to have unique passwords for each site but make them easy to remember. Each pw contains some characters that are the same at all sites and other parts that relate to the site and, thus, easy to remember.

    I prefer this to using a pw manager; if I'm ever someplace and don't have the pw manager, I'm pretty much screwed.

    • avatar
    • Thomas
    • Tue 14 Dec 2010 02:21 AM

    I'm also using 1password. Did you know that you can put the (hopefully securely encrypted) password file on dropbox and sync it between computers, iPhones and iPads? Works like a charm for me.

      • avatar
      • Matt
      • Tue 14 Dec 2010 02:54 AM

      I'm using KeePass (OpenSource) in conjunction with my DropBox.

      And because there's an Android App for both (KeePass and DropBox) I have all my passwords with me all the time.

      And yes, DropBox securely encrypts all files transfered (SSL) and stored (AES-256) in your DropBox.

      • avatar
      • Jake Howlett
      • Tue 14 Dec 2010 07:46 AM

      Hmm. Call me paranoid but I'd be wary of putting it out there in the cloud. I feel much safer knowing it only exists on my hard drive and my NAS server.

      Perhaps if I thought I might need it while out and about I'd think otherwise. The chances of needing it at a time when I don't have my laptop with me is slim-to-none.

      There's also an iPad app for 1Password, so I could always carry that around with me.

      Hide the rest of this thread

        • avatar
        • Matt
        • Tue 14 Dec 2010 09:25 AM

        I know what you mean Jake.

        But as long as the password db file:

        - can be named whatever I want (eg. temp.txt)

        - cannot be identified as a password db file (no header data)

        - is at least 128bit encrypted

        then I can live with that and with the data stored in the cloud. Of course not on every server, but in Amazon (Dropbox) I trust.

        The cloud is fire and water resistant, my external hard drive (or NAS server) is not... I belive.

          • avatar
          • Jake Howlett
          • Tue 14 Dec 2010 09:31 AM

          Which makes me wonder whether the 1Password file (and backup file) formats are encrypted by default? I'd guess/hope so.

          Hang on I'll have a look...

          here's their FAQ on it -

          http://help.agile.ws/1Password3/security.html

          turns out the file uses 128-bit AES encryption.

          So, I guess, as long as they can't crack your master password it's safe to keep the backup anywhere.

          I'll relent and add it to dropbox as a backup. Like you say fire and water won't affect the cloud.

            • avatar
            • Jake Howlett
            • Wed 15 Dec 2010 03:14 AM

            Call me a complete turncoat but my 1Password config now points to a password file *directly* in my Dropbox folder!

    • avatar
    • Tim
    • Tue 14 Dec 2010 06:45 AM

    1Password with a Dropbox sync.... works like a charm.

    Before that, I used to keep them in a list in Google Docs. So I could access them from any computer I wanted.

  3. I use LastPass. They offer extensions for most of the real browsers and if you go premium you can use it on smart phones.

Your Comments

Name:
E-mail:
(optional)
Website:
(optional)
Comment:


About This Page

Written by Jake Howlett on Mon 13 Dec 2010

Share This Page

# ( ) '

Comments

The most recent comments added:

Skip to the comments or add your own.

You can subscribe to an individual RSS feed of comments on this entry.

Let's Get Social


About This Website

CodeStore is all about web development. Concentrating on Lotus Domino, ASP.NET, Flex, SharePoint and all things internet.

Your host is Jake Howlett who runs his own web development company called Rockall Design and is always on the lookout for new and interesting work to do.

You can find me on Twitter and on Linked In.

Read more about this site »

More Content