Walking the Security Walk19 Mar 2014
Almost every day I witness security atrocities: weak passwords, using the same password on every site, unlocked smartphones, unprotected wifi, people walking away from unlocked computers, and one of the worst of all, sharing passwords.
This is what I imagine doing every time someone tells me they gave someone else their password.
Why should you care about having strong and unique passwords? A different big site seems to get hacked just about every week, and if you’re using the same username and password all over then the bad guys can get into all of your other accounts. And if you’re thinking you don’t care about your online accounts think of these two things:
- the damage someone can do if they can “be” you on social networking and other public forums is very serious
- if bad guys get into your email they basically own you because they can now reset passwords to other things… like your bank
There is no denying it; as security increases, usability decreases. Until we have some sort of un-fakable way of identifying a person we’ll probably keep using the username/password combo, and as long as we have usernames and passwords people will use
fido1 and other crappy guessables. (Sorry to all the people whose passwords I just posted.)
Fortunately password managers are a thing, and they’re dirt cheap and pretty simple. I use LastPass myself because it works everywhere. Recently I went through the Security Check they offer and I was repulsed by my results. I had duplicates! And weak passwords! Unacceptable!
It took the better part of a day (no reason it had to be done all at once, but hey), and I brought my security score from 65% to 88%! Why not higher? Sadly some organizations are still stuck in the 90s and have a short maximum length to their passwords, or they don’t allow special characters, or some other ridiculous set of rules that compromises security. Also, a couple of accounts are still being upgraded because they had other issues that had to be resolved first. Finally, I have to maintain a few passwords for other people’s accounts (!!) for work, and their passwords suck, so I get punished for it in the audit.
One of the biggest wins was actually killing off tons of old accounts. That 65% score was for over 220 accounts, and the 88% is only 171. Whenever I came across an account I didn’t want anymore I closed it instead of improving its password. Sorry some random website I commented on 6 years ago, I don’t need an account anymore. A surprising caveat to this is that most forums apparently do not let you delete your account so they can maintain the integrity of your posts even if you never posted (remember when you needed an account just to search a forum?) In these cases I just made my password super strong and resigned myself to otherwise forget about it forever. Another surprising thing was how often people on these forums said “Why delete your account? Why don’t you just never come back?” To which I say “How about you just delete my damn account since I’m never coming back?” I did not expect this indifference towards orphaned accounts.
The long and short of it is that using a password manager makes having strong and unique passwords trivial. Two-factor auth, and device encryption are also awesome (and I’ll post about them later), but you can vastly improve your situation just by making your passwords not suck. There are no valid excuses. Use LastPass, use 1password, use RoboForm, but use something.