A few weeks ago I wrote about how I started using a password vault. Some of my keener observers noted that I did not mention which one I chose, and that was not an oversight. I am not an expert in the technology, and unlike many of the products and solutions I have reviewed over the years, usability is not the primary factor in selecting a password vault, and I am not qualified to evaluate how well any of them secure your passwords. However with regard to usability, I would like to talk about some changes I have made in how I work, and how it has affected me.
1) Completely Randomized Passwords
Over the course of my time in IT I have heard myriad complaints from users who did not like having to remember complex passwords, and liked even less having to change them every so often. I gave them a lot of advice of how to choose and remember and cycle their passwords, but no matter how hard I tried, yellow sticky-notes (yes they come in other colours too) remain the biggest enemy of IT security.
I have used a lot of different passwords over the past fifteen years, but it is rare that I forget one. Why? Because there are probably a dozen ‘series’ of passwords that I have used at any given point. I won’t give any of them away (there is probably some obscure site that I have not logged into in a decade that still has my account with one of these old passwords, and somebody would figure it out). But let’s make up an obscure and completely fictitious password that I could have used:
Four Score and Seven Years Ago, Our Fathers…
The opening words of the Gettysburg Address. It is easy enough to remember… nine words. If I were to take the first letter of each word, and change numbers and booleans into their characters, we would have 4S&7yaof. Upper case, lower case, numbers, and characters. More than eight characters. I just created a password that would pass almost every minimum password requirements algorithms. I would then use that as a password for a dozen sites and applications. Of course, some algorithms insist on starting with a letter, so Fs&7yaof would be similar but completely different. We’re happy.
As I have mentioned before, I maintain a text file of most of the sites I have credentials for, and every few months I go through them all and change my passwords. It takes time and effort, but I have done it. Fortunately, I have always had pretty simple passwords (for me) to remember… because I knew the context. Password Hint? GETTYSBURG.
Now that I am using the password vault, it has a tool that helps me to create long, complex, random passwords that would be completely impossible for someone like me to memorize. However I wouldn’t have to memorize them, because the vault app enters it for me when I need it. So:
Hello1 = BAD
Passw0rd = BAD
Fs&7yaof = Good
L9Gya$(aWPl47+~R2t7*^1> = EXCELLENT!
With passwords like these (and a management app that helps me create, remember, and every few months change them), combined with the fact that every site has a completely different nearly impossible to remember password, and I can sleep better at night knowing that my identity is secure.
The problem is: how am I securing the password vault? Well, that has a couple of answers. Two factor authentication for sure, but that would be different on my phone and on my computer.
2) Multi-Factor Authentication
When I am accessing the vault on my computer, I have to enter my password, and then two-factor authenticate using my Yubikey. On my iPhone I have to a) log on to the phone using either password or a fingerprint, b) log in to the application using a different password. It is not ideal, but it is better than nothing… and for my needs, it is just fine.
There are some sites that I use (such as WordPress for my blog) that interacts with applications, and supports Multi-Factor Authentication (MFA). The process for these sites is a bit different:
1) The password vault application (or WordPress) generates a ridiculously long and complex password, and stores it in the vault.
2) The site allows me to create ‘application passwords’ which are for individual applications (and different installations of the same application), which the applications can store.
3) The WordPress app is installed on my phone. When I try to authenticate using either the web or an application, WordPress sends a code to the app on my phone, which asks me if I tried to log on (and from where). I can either Accept, which will allow the logon to proceed, or Reject, which will block the logon.
Other sites, such as Microsoft ID protected sites, allow me to either remember my password, have my password vault application enter the un-rememberable password for me, or it will generate a one-time code which it will send to my phone by SMS message, and I can log on with that code.
A few sites and applications, which include my corporate VPN and my health insurance website (not to mention my password vault application), allow me to authenticate using a token, a device that I plug into my computer and then press a button. The device then sends a code to the computer, and authenticates. I will not go into the back-end of this, but it is quite secure from what I understand… as long as it doesn’t get stolen. Of course, for most of the sites that I use it for the Yubikey only works when used in conjunction with a password.
I hope by now I am beyond the ‘forgetting my cell phone’ syndrome… after all, I have been carrying one for the better part of two decades, and knowing that the replacement value of my phone is nearly $1,000 I do my best to have it on me at all times. But what about the Yubikey? I am relatively new to carrying it around, an it is absolutely tiny… about the size of my thumbnail. I have it attached to a little charm that I was given at a bar in Shinagawa (Tokyo). The two combined might weigh a few grams… and I am extremely hopeful that it is more durable than it looks. However here’s the thing… I carry a lot of things in my pockets, and because of that I will, on occasion, take things out that do not have to be there… including on the weekends my card access key for the office, and yes – my Yubikey. Only, there are days (and not a few of them) when I forget my key card at home… and as such, I will often also forget my Yubikey. Fortunately my company still has a secondary VPN that I can use, and as for other sites that require it… well, let’s just say that most of them are not required for me to perform my job.
Oh wait… my password vault requires it. So I had better hope that during the course of my day without my Yubikey I don’t need to access too many sites, because while I can get the passwords off my phone, typing in passwords that look like this: L9Gya$(aWPl47+~R2t7*^1> can be a pain.
4) When all else fails…
I actually had to do this more often when I was using my old password methodology than my new one. Most sites have those helpful ‘Forgot my password’ buttons that will, after asking you a couple of questions, send you a link to reset your password. I used it a lot before, but admit that the only time I used it recently was with my health insurance company… where the password hint was useless, and the ‘Forgot my password’ button told me to call so that they could delete my account and then I could recreate it. Thanks, I’ll wait until I pick my Yubikey up off the night stand.
I wasn’t entirely sure what to expect, but I was hoping the transition to the password vault (and scores of completely different and un-rememberable passwords) would not be too painful. I was not disappointed. I did have to log on to some sites and manually change the passwords, but for others the vault’s app did it for me. I haven’t been locked out of anywhere (YET), and to the best of my knowledge nobody has logged on anywhere as me because they have compromised my data.
The Multi-Factor Authentication (MFA) is great as long as I have my devices with me… and my phone’s battery isn’t dead. Fortunately some of the sites that use it have alternate methods (e-mail me a code?) but also fortunately my phone is usually pretty charged, else I bring a portable charger with me.
Does this new methodology benefit me? Let’s be honest… the world has changed. Twenty years ago I was afraid someone would steal my house keys and would then break into my house and steal my stuff. Today with alarms and cameras that threat is nearly obsolete, but the threat of losing our data and banking information and credibility to hackers is very real, and being able to take steps to prevent it… well, it’s a small price to pay.