what's what with davealex

explore the hobbies of dave alexander

what's what with davealex / Blog / HowTo / Remembering Passwords Is A Thing Of The Past

Remembering Passwords Is A Thing Of The Past

by davealex

The Problem

Remember the days when you had 100 or more phone numbers memorized? All your family, friends, work colleagues, etc? My brain was able to save and recall this hoard of information due to constant usage and repetition (i.e. effort). When cell phones became our primary phone and we trusted the contact list technology we no longer had to remember all these numbers. This was so liberating not having to remember all that stuff anymore; technology is awesome!

With the invention of the internet and mobile devices, password memorization and management became a “thing”. Each app/website wants you to have a profile to use their site. As websites and apps exploded so did our digital life–the number of different user accounts we needed to manage. The amount of credentials we had to memorize became too much and thus we all invented schemes to help us mentally manage this information.

Password entropy has always been fascinating to me. Based on research from large data leaks over the years, interesting research and mining has been done against these huge caches of information. What it has shown us is that the more credentials we need to remember and due to the required complexity required the more people reused passwords and/or password “schemes” with common words and guessable patterns. I recently read a cool article on the subject. I have talked to many people who feel their scheme is safe, I did too, until I sat down and thought about it more…

Back in my college days I worked with a graduate student teacher on a research project on software plagiarism. I wrote software that analyzed the programs submitted by students which abstracted words, variable assignments, program flows and other things into patterns. We then analyzed the results statistically resulting in the probability that students “collaborated” or “borrowed” other people’s work. The teacher already knew the results, but I was blown away by the amount of EXACTNESS of everyone’s work when abstracted into patterns.

Back to password entropy topic, all these years later these pattern recognition techniques have integrated decades of research into their libraries; these sophisticated tools are routinely used in data mining and password cracking. Fresh personal data and credential caches are routinely delivered to the dark web through hacking campaigns that you hear (and don’t hear) about on the daily news. Given that there is significant money in bringing fresh identities to the black market and corporations cannot appropriately manage their technological footprint these hacks will continue and likely increase.

What this means to you is that if you use the same password across sites; you’re a sitting duck, its just a matter of time (likely very shortly, if not already) before your identity is sold and used against your will. If you use different passwords between sites but have a pattern; its likely that pattern can be guessed (as people use non-unique patterns) especially if your credentials from many sites are analyzed together with big-data techniques and AI tools. Remember, todays computers are fast; per that article mentioned above brute force algorithms can try 300,000 passwords a second on a desktop computer. As all the low-hanging fruit are consumed–passwords that are the same across sites–work will start to focus on mining the not-so-low hanging identities to continue the delivery of fresh identities to market to meet the increasing demand of criminals. This includes credentials that utilize patterns.

I think we all understand that using the same credentials between sites is a terrible idea (although 25% of us still do it). Using patterns in credentials is more secure but can be guessed, so not much safer. Experts all agree password length is the single most important safety measure you can take. Not using patterns is also growingly important.

The Plan

I’ve been on a quest to make managing my digital life easier. To help make hacks less impactful and stressful, I have rethought how I manage my credentials across my digital life and started the implementation, from scratch, of my new plan using the techniques that experts preach. I thought I’d share my plan as it has turned out to be liberating, much like how phone number management evolved at the end of the last century.

To come up with a new plan I had to accept a couple of important facts:

  • Sites will continue to be hacked and my personal information will continue to be shared on the dark web. The only control I have to prevent this is to not use apps/websites, which isn’t the digital life I want.
  • Hackers are big-data focused and utilize all the research and sophisticated tools at their disposal. They don’t target me personally, I’m just a single data element amongst the millions they are mining. They script everything and there likely is a delay between discovering my credentials, bringing it to market, being sold and someone eventually utilizing them with bad intent. I need to react faster than this delay.
  • There are enough people that have worse digital-life management that are easy targets, hackers don’t need to harvest too high in the tree as there is ample low-hanging fruit! My goal is to be a fruit somewhere at the top of the tree.

Here is my new password management scheme.

  1. Passwords I must remember should be kept to a minimum and need to be as long as possible.
  2. Every set of credentials must be unique. Given I use the same set of usernames that means passwords cannot be the same and should not contain any patterns, i.e. random.
  3. To prevent brute force compromise of my credentials I need to use the longest and most complicated password each app allows.
  4. I use 2-factor authentication (2-factor means #1 I know something–i.e. username/password and #2 I have something–i.e. a cell phone) on all sites that contain sensitive personal information, for example financial or combinations of personal information.

The Implementation

So how did I implement this? The key is a password manager tool that can remember all these complicated passwords for me, much like the cell phone contact list manages all my phone numbers. The change in my routine habits required me to simply use the “bookmarks” in my password manager instead of the browser. The end result is one extra step. I use 2-factor authentication for all sites that contain sensitive personal information, such as combinations of my personal data that can be used to steal my identity (address, name, email, phone, birthday, tax id, etc). After working with this new workflow for a while I also added a browser-based password auto-fill feature to remove the extra step for sites that I feel do not pose a large risk to my identify if my data they hold is compromised. I do need to keep both password vaults in sync, but the tools have made that simple.

Getting started was easy. I created a prioritized list of apps I use that I needed to update my passwords on. The highest priority sites were my cell phone (since this is a critical part of the plan for 2-factor authentication, this needed to be VERY secure) and my financial and health providers. Next was social media platforms and shopping sites. I utilized the browser’s password management database since it has been remembering my passwords for sites for years. As part of this process, I deleted (when I could) my accounts with sites that I no longer utilized which reduces my exposure.

Given I am relying on a single tool to manage all this critical information, I thought I’d share some important considerations I used and features I needed when choosing a password management tool.

  1. Secure company. I prefer a heavily funded company that does only password management, that is their single focus and thus all their resources are focused on my security. If they are breached they lose consumer trust and they go out of business–I feel this provides sufficient incentive for that company to ensure my security.
  2. Long passwords. The tool allows a really long passphrase that I can remember (some apps allow maximum 8-12 character passwords, not long enough).
  3. Auto generate password tool. This is helpful when adding or changing a password. I really like the ability to change the length and/or complexity and have it create the password–many sites only allow a few “special characters”, for example. I prefer the “copy to clipboard” feature so that most the time I don’t have to see or type the complicated password, I just copy from the password vault and then paste into the app.
  4. Launch website. Allows you to launch the website from their app and pre-populates the credentials, much like what you may already be familiar with in browsers.
  5. Dark web surveillance. I like this feature because if there is a compromise to a website I use I will be informed…that saves me a bunch of time reading security blogs and trying to figure out when a site I use has been compromised and I need to take action. Remember, since hackers are big-data minded, the chance of my credentials or information being used right away is small so the quicker I can resolve the issue the less risk to my identity.

The Outcome

What I’ve discovered is the same liberation from credential memorization as I did with phone numbers. I remember a small handful of passwords and let secured technology manage the rest. When my information gets hacked or compromised (which I argue is guaranteed to happen periodically), I am notified via dark web monitoring and I take care of that one issue as soon as I hear about the breach to minimize the risk of anything bad happening. When I’m compromised I don’t worry about other sites being at risk because my passwords are not reused and random! I’m now proactively mitigating risk and alerted to issues, thus my reaction is easy and effective.

If you would like to see where your identity has been compromised, I recommend using a dark web monitor; a great place to start is this quick and free service. https://haveibeenpwned.com/

Be curious to know what you are doing to minimize the impact of compromised websites for your digital life?