The recent news around the leaking of 6+ million LinkedIn passwords (albeit in an 'encrypted' form) The follow on phishing attacks were really just a matter of course. But is was a question posed by my colleague Anthony at work that really got me thinking - the question was: "Of all the people who are changing their LinkedIn passwords - how many use the same password for their email access? And what percentage of them will change their email password as well as their LinkedIn password?
This question got me thinking, I had been advising people to change their LinkedIn passwords but I had assumed (I know, don't say it) that they had a (truly) unique password per account and a loss of one password has zero effect for their other accounts.
That got me thinking about good password practice, and I thought I would offer up my own practices as a model for others (yes, apparently I am perfect).
When I was a youth I had a three possible passwords I would use on any website that requested a password. They were all fairly good - reasonably long, made up of multiple words and numbers (though no punctuation). At the time I felt pretty good and superior by my advanced use of passwords - but the more time I spent in the security community the less secure I felt about my password practice.
As far as I am concerned there are two options for password security - good enough and paranoid.
First - a definition. A unique password has to be completely different from your other passwords. Using Linkpwd123 for your LinkedIn account and Gmailpwd123 for your Gmail account is not an example of using unique passwords...
Good Enough password management
With good enough password management you need to divide your accounts into two groups. Important/sensitive accounts and other accounts. Important sensitive accounts are those you don't want compromised; like bank accounts and your email account (remember, if I control your email account I can issue a password reset for any of your on line accounts and take control of them). These accounts should all have unique (see above) passwords associated with them and you should change them at least as often as you change your clocks due to daylight savings. It goes without saying that this password should be complex; I recommend a passphrase like a line from a book, play, movie or something else that makes it long and relatively complex. Something like "The zipcode of my first house was 05553!"
For the other accounts (like your ESPN account) it is OK if you share a password - losing control of those might be an annoyance but if I was an attacker and I got a list of the usernames (which are often email addresses) and passwords for that type of site I would sell the email addresses to a spammer but only after I tried to login into your email account using the password I had recovered for your account.
Paranoid password management
Paranoid is harder - I recommend a unique complex password for everything that you change at least twice a year. Now we are getting beyond the realm of what is feasible for a human to remember. For example, I have 287 different online accounts for various services etc - remember 287 unique complex passwords is a challenge. And I am the first to admit that I don't - I use a password manager to do the job for me.
This password manager is not a file called passwords.txt or .xls but a commercial program that keeps the passwords encrypted until I authenticate to it - here we have the trade off I have made. If you can access the encrypted file you are one password away from getting every account. The passphrase to unlock this is long (I'm too paranoid to give away the length of that passphrase but it takes about 10 seconds to type it in) - but the result is I can have very complex/impossible to remember passwords for all my accounts and don't have to remember any of them.
Good password management like good security is a compromise between a level of security and a level of useability, when you increase the security you typically decrease the usability of the solution. I'm really happy with the ability of my passwords to survive a brute force attempt. And if a password for any given account is compromised, it has zero impact on my other accounts.
How do you manage your passwords? If you have an interesting technique I would love to hear it...
Alex Horan, Senior Product Manager