Print PDF
Favorite
Email
There is a lot of advice about passwords and security on the web, but no one system is perfect for everyone because everyone has different needs and risk profiles. This is my system, and it works great for my situation. Some friends have asked about it, so I'm sharing this Instructable. Even if your goals don't quite match mine, you may find some useful techniques, so read on...
I'm assuming you already understand something about passwords, like the fact that "12345" an anything in the English dictionary are terrible choices for a password. I don't delve much further into cryptography or security theory, because it would take too long, it would be distracting, and mostly because I'm not an expert in that field (hopefully you will see that as a plus, since otherwise I would spend the whole time scaring you).
The basic problem with passwords is that if you have enough strong passwords to have adequate security for all your different web sites and other situations, then it is difficult to remember them all. Solutions like writing them down or storing them in a spreadsheet solve those problems while introducing a host of other risks. In addition to the obvious security holes, keeping that information up to date can be a bother.
Now that I have a family, I realized there are other needs too. I handle most of the family finances, but if I am hit by a bus, whether I survive or not, how will my wife figure out all the stuff needed to take over? Less important but more common, if my wife gets a new frequent flier number and password, is there a good way to share it so that either of us can access it when needed?
If my laptop is stolen, or my house is burglarized, am I going to have to change all of my passwords? If you are starting to catch my drift, you can see that the first step is to think about your risks. While most people are affected by the same risks: burglary, malware, injury, stupid mistakes, natural disasters, some situations may be more important to you than others, so it's still worthwhile to give some thought to your specific concerns.
Most of this is not terribly new; many people already use a password database stored on the cloud, but I haven't seen much written on how to share it securely. Even if you don't need to share your passwords with a family, you will probably still find some or all of this system to be useful.
I'm assuming you already understand something about passwords, like the fact that "12345" an anything in the English dictionary are terrible choices for a password. I don't delve much further into cryptography or security theory, because it would take too long, it would be distracting, and mostly because I'm not an expert in that field (hopefully you will see that as a plus, since otherwise I would spend the whole time scaring you).
The basic problem with passwords is that if you have enough strong passwords to have adequate security for all your different web sites and other situations, then it is difficult to remember them all. Solutions like writing them down or storing them in a spreadsheet solve those problems while introducing a host of other risks. In addition to the obvious security holes, keeping that information up to date can be a bother.
Now that I have a family, I realized there are other needs too. I handle most of the family finances, but if I am hit by a bus, whether I survive or not, how will my wife figure out all the stuff needed to take over? Less important but more common, if my wife gets a new frequent flier number and password, is there a good way to share it so that either of us can access it when needed?
If my laptop is stolen, or my house is burglarized, am I going to have to change all of my passwords? If you are starting to catch my drift, you can see that the first step is to think about your risks. While most people are affected by the same risks: burglary, malware, injury, stupid mistakes, natural disasters, some situations may be more important to you than others, so it's still worthwhile to give some thought to your specific concerns.
Most of this is not terribly new; many people already use a password database stored on the cloud, but I haven't seen much written on how to share it securely. Even if you don't need to share your passwords with a family, you will probably still find some or all of this system to be useful.
Remove these ads by
Signing UpStep 1Assessing Risks and Threats
I consider "risks" and "threats" to be more or less synonyms in this context, but some people approach this problem from only one side. For example some people carry all their passwords on an encrypted USB stick on their keychain. That's great to prevent data theft, but what happens when you accidentally flush your keys down the toilet, like I did a couple years ago?
OK, so you keep a backup. What happens if your house catches fire, and you leave your keys and your backup drive behind? Yes, you should be storing the data in the Cloud too. The point is that you need to consider all of these before you can be satisfied that your system is adequate protection from whatever life throws at you, whether it is malicious or accidental.
Design goals (driven by my assessment of risks and threats)
* Use secure passwords where needed and use separate ones for each financial site
* Don't have so many passwords that I forget some of them
* Share access for convenience
* Share access in case I am incapacitated
* Don't compromise security if my laptop is stolen
* Don't lose access if my laptop is stolen
* Keep it simple enough that my wife will use it too
I can't stress the last one too much. If the system is too frustrating it will be abandoned, and that's another risk.
Threats I gave up on
Security is a hard problem. If someone takes control of your email, they will probably be able to reset many of your passwords and take control. This system can help, but does not do anything extraordinary to protect your email, especially if you cache your email password in your Browser.
Many windows computers have already been compromised and could be logging your keystrokes or intercepting your web data. I think this system is way better than most other forms of protection, but it's impossible to be totally secure unless you throw your computer in a lake and go hide in a cave (and that will bring its own set of problems).
Complexity
In most situations, better security comes at the expense of ease-of-use. One of the nice things about this system is that most of the complexity is in the setup. Once you get through all that, with the help of this Instructable, your system will be both reasonably secure and reasonably easy to use.
OK, so you keep a backup. What happens if your house catches fire, and you leave your keys and your backup drive behind? Yes, you should be storing the data in the Cloud too. The point is that you need to consider all of these before you can be satisfied that your system is adequate protection from whatever life throws at you, whether it is malicious or accidental.
Design goals (driven by my assessment of risks and threats)
* Use secure passwords where needed and use separate ones for each financial site
* Don't have so many passwords that I forget some of them
* Share access for convenience
* Share access in case I am incapacitated
* Don't compromise security if my laptop is stolen
* Don't lose access if my laptop is stolen
* Keep it simple enough that my wife will use it too
I can't stress the last one too much. If the system is too frustrating it will be abandoned, and that's another risk.
Threats I gave up on
Security is a hard problem. If someone takes control of your email, they will probably be able to reset many of your passwords and take control. This system can help, but does not do anything extraordinary to protect your email, especially if you cache your email password in your Browser.
Many windows computers have already been compromised and could be logging your keystrokes or intercepting your web data. I think this system is way better than most other forms of protection, but it's impossible to be totally secure unless you throw your computer in a lake and go hide in a cave (and that will bring its own set of problems).
Complexity
In most situations, better security comes at the expense of ease-of-use. One of the nice things about this system is that most of the complexity is in the setup. Once you get through all that, with the help of this Instructable, your system will be both reasonably secure and reasonably easy to use.
| « Previous Step | Download PDFView All Steps | Next Step » |
You can use a dictionary based brute forcer and get that within probably the hour. that gibberish thing, will take much longer as long as its upto 256 AES standards.
Remembering it isnt that hard either, repetition is the key
as for the comic bit, Randall, the guy that makes that comic is known for backing up what he says.
and for my passwords, i use a sentence about passwords, followed by gibberish.
My work password is absolute gibberish, but since I type a few times a day, I don't have any problem remembering it. It's the other 147 that became the problem.
theres pills for paranoia you know ... only mostly they will increase your brains overall succeptability to it and temporarily cut the symptoms, so if you ever stop buying and taking their drugs, you'll have no options left other than to kill yourself.
we all gots to make a living. specially those pharmaceutical companies.
You worry too much I think. Do you spend money on the internet with credit-cards?
L
Hmm I suppose so, keep avoiding "they"!
L
In the digital world we live in this is only going to expand in complexity - and I like your take it.
I've got to delve a bit further into it for my family, it is important if I (or my wife) get 'hit by a bus - it would be better to have a system like this in place in order to be able to keep paying the bills..
Ok, now make twenty of those pass-phrases, and share them with your wife. Use one every two weeks, two others once a month, and don't use the rest for a year. How many did you remember? How many did she remember?
It's been secure under the same password, written nowhere, filed nowhere, stored nowhere except our heads for over a decade.
My actual banking has always been, will always be, in person, by signature on hardcopy.
That means that, in the event of a disaster, my (currently under-age) children can get at the family finances without being faced with dozens of unguessable passwords.