The Problem
Remember the days when you had 100 or more phone numbers memorized? All your family, friends, work colleagues, etc? My brain was able to save and recall this hoard of information due to constant usage and repetition (i.e. effort). When cell phones became our primary phone and we trusted the contact list technology we no longer had to remember all these numbers. This was so liberating not having to remember all that stuff anymore; technology is awesome!
With the invention of the internet and mobile devices, password memorization and management became a “thing”. Each app/website wants you to have a profile to use their site. As websites and apps exploded so did our digital life–the number of different user accounts we needed to manage. The amount of credentials we had to memorize became too much and thus we all invented schemes to help us mentally manage this information. With modern day computing power and AI-based tools at their disposal, hackers are getting innovative on crunching the massive breached data hoards and discovering and utilizing your secrets to harm and steal.
I have created a digital-life strategy such that I don’t have to remember but a few passwords and I have limited the blast radius of any given breach to that breached entity. I understand that all data breaches are out of my control and they will continue to occur until corporations take the responsibility of safe-guarding the data we’ve entrusted to them (which will be a while) or I choose to not have a digital life! My strategy requires that I monitor data breaches and that I limit my secrets loss to just that compromised company. Some features of the strategy are that I don’t have to remember but a few passwords, I know what digital things I am enrolled in, my next of kin will get access to this secrets wallet when that time comes, and in the event of a data breach the remedy is quick and easy.
Why passwords and schemes to remember them are a losing battle
Password entropy has always been fascinating to me. Based on research from large data leaks over the years, interesting research and mining has been done against these huge caches of information. What it has shown us is that the more credentials we need to remember and due to the required complexity required the more people reused passwords and/or password “schemes” with common words and guessable patterns. I recently read a cool article on the subject. I have talked to many people who feel their scheme is safe, I did too, until I sat down and thought about it more…
Back in my college days I worked with a graduate student teacher on a research project on software plagiarism. I wrote software that analyzed the programs submitted by students which abstracted words, variable assignments, program flows and other things into patterns. We then analyzed the results statistically resulting in the probability that students “collaborated” or “borrowed” other people’s work. The teacher already knew the results, but I was blown away by the amount of EXACTNESS of everyone’s work when abstracted into patterns.
Back to password entropy topic, all these years later these pattern recognition techniques have integrated decades of research into their libraries; these sophisticated tools are routinely used in data mining and password cracking. Fresh personal data and credential caches are routinely delivered to the dark web through hacking campaigns that you hear (and don’t hear) about on the daily news. Given that there is significant money in bringing fresh identities to the black market and corporations cannot appropriately manage their technological footprint these hacks will continue and likely increase.
What this means to you is that if you use the same password across sites; you’re a sitting duck, its just a matter of time (likely very shortly, if not already) before your identity is sold and used against your will. If you use different passwords between sites but have a pattern; its likely that pattern can be guessed (as people use non-unique patterns) especially if your credentials from many sites are analyzed together with big-data techniques and AI tools. Remember, todays computers are fast; per that article mentioned above brute force algorithms can try 300,000 passwords a second on a desktop computer. As all the low-hanging fruit are consumed–passwords that are the same across sites–work will start to focus on mining the not-so-low hanging identities to continue the delivery of fresh identities to market to meet the increasing demand of criminals. This includes credentials that utilize patterns.
I think we all understand that using the same credentials between sites is a terrible idea (although 25% of us still do it). Using patterns in credentials is more secure but can be guessed, so not much safer. Experts all agree password length is the single most important safety measure you can take. Not using patterns is also growingly important.
My Strategy
I’ve been on a quest to make managing my digital life easier. To help make hacks less impactful and stressful, I have rethought how I manage my credentials across my digital life and started the implementation, from scratch, of my new plan using the techniques that experts preach. I thought I’d share my plan as it has turned out to be liberating, much like how I don’t have to remember phone numbers anymore.
To come up with a new plan I had to accept some important facts:
- Sites will continue to be hacked and my personal information will continue to be shared on the dark web. The only control I have to prevent this is to not use apps/websites, which isn’t the digital life I want.
- Hackers are big-data focused and utilize decades of research and building of sophisticated tools and techniques. They don’t target me personally, I’m just a single data element amongst the millions they are mining.
- There is a delay between my credentials being compromised and harvested, bringing them to market, being sold and someone eventually utilizing them with bad intent. I need to react faster than this delay.
Here is my new password management strategy.
- Passwords I must remember should be kept to a minimum and need to be as long as possible. Phrases are often easier to remember and provide more length.
- Every set of credentials must be unique. Given I often use the same set of usernames that means passwords cannot be the same and should not contain any patterns, i.e. random.
- Passwords I don’t remember should be long enough to prevent brute force compromise of my credentials and have as much complexity as the account will allow.
- I use 2-factor authentication (2-factor means #1 I know something–i.e. username/password and #2 I have something–i.e. a cell phone) on all sites that contain extra-sensitive personal information, for example financial or combinations of personal information.
- I need to monitor data breaches and when I discover my data has been compromised I need to try to figure out where and change that password. If I can’t figure out where the breach occurred that shouldn’t be a big issue as I do have some faith that most corporations will let me know or will pause my account activity until I change my credentials.
The Implementation
So how did I implement this?
- The foundation is a password manager tool that can create, remember and manage all these complicated passwords for me, much like the cell phone contact list manages all my phone numbers.
- I set up monitoring of the dark web and data breaches
- Consistency in my routine is critical to make this as mindless as possible.
- I realized that my 2nd factor of authentication is usually text message to my cell phone. I needed to ensure that that account was secured as tight as possible so someone couldn’t transfer the number to another phone.
- I went through all my digital life and added them to the password manager software and changed the passwords at the same time.
- I put the credentials and recovery information of my password manager physically in a safe place in case that very important secret was forgotten.
Getting started was easy. I created a prioritized list of apps I use that I needed to update my passwords on. The highest priority sites were my cell phone (since this is a critical part of the plan for 2-factor authentication, this needed to be VERY secure) and my financial and health providers. Next was social media platforms and shopping sites. I utilized the browser’s password management database since it has been remembering my passwords for sites for years. As part of this process, I deleted (when I could) my accounts with sites that I no longer utilized which reduces my exposure.
Given I am relying on a single tool to manage all this critical information, I thought I’d share some important considerations I used and features I needed when choosing a password management tool.
- Secure company. I prefer a heavily funded company that does only password management, that is their single focus and thus all their resources are focused on my security. If they are breached they lose consumer trust and they go out of business–I feel this provides sufficient incentive for that company to ensure my security.
- Long passwords. The tool allows a really long passphrase that I can remember (some apps allow maximum 8-12 character passwords, not long enough).
- Auto generate password tool. This is helpful when adding or changing a password. I really like the ability to change the length and/or complexity and have it create the password–many sites only allow a few “special characters”, for example. I prefer the “copy to clipboard” feature so that most the time I don’t have to see or type the complicated password, I just copy from the password vault and then paste into the app.
- Launch website. Allows you to launch the website from their app and pre-populates the credentials, much like what you may already be familiar with in browsers.
- Dark web surveillance. I like this feature because if there is a compromise to a website I use I will be informed…that saves me a bunch of time reading security blogs and trying to figure out when a site I use has been compromised and I need to take action. Remember, since hackers are big-data minded, the chance of my credentials or information being used right away is small so the quicker I can resolve the issue the less risk to my identity.
The Outcome
What I’ve discovered is the same liberation from credential memorization as I did with phone numbers. I remember a small handful of passwords and let secured technology manage the rest. When my information gets hacked or compromised (which I argue is guaranteed to happen periodically), I am notified via dark web monitoring and I take care of that one issue as soon as I hear about the breach to minimize the risk of anything bad happening. When I’m compromised I don’t worry about other sites being at risk because my passwords are not reused and random! I’m now proactively mitigating risk and alerted to issues, thus my reaction is easy and effective.
If you would like to see where your identity has been compromised, I recommend using a dark web monitor; a great place to start is this quick and free service. https://haveibeenpwned.com/
Be curious to know what you are doing to minimize the impact of compromised websites for your digital life?