There is a lot of advice about passwords and security on the web, but no one system is perfect for everyone because everyone has different needs and risk profiles.  This is my system, and it works great for my situation.  Some friends have asked about it, so I'm sharing this Instructable. Even if your goals don't quite match mine, you may find some useful techniques, so read on...

I'm assuming you already understand something about passwords, like the fact that "12345" an anything in the English dictionary are terrible choices for a password. I don't delve much further into cryptography or security theory, because it would take too long, it would be distracting, and mostly because I'm not an expert in that field (hopefully you will see that as a plus, since otherwise I would spend the whole time scaring you).  

The basic problem with passwords is that if you have enough strong passwords to have adequate security for all your different web sites and other situations, then it is difficult to remember them all. Solutions like writing them down or storing them in a spreadsheet solve those problems while introducing a host of other risks.  In addition to the obvious security holes, keeping that information up to date can be a bother. 

Now that I have a family, I realized there are other needs too.  I handle most of the family finances, but if I am hit by a bus, whether I survive or not, how will my wife figure out all the stuff needed to take over? Less important but more common, if my wife gets a new frequent flier number and password, is there a good way to share it so that either of us can access it when needed? 

If my laptop is stolen, or my house is burglarized, am I going to have to change all of my passwords?  If you are starting to catch my drift, you can see that the first step is to think about  your risks.  While most people are affected by the same risks: burglary, malware, injury, stupid mistakes, natural disasters, some situations may be more important to you than others, so it's still worthwhile to give some thought to your specific concerns.

Most of this is not terribly new; many people already use a password database stored on the cloud, but I haven't seen much written on how to share it securely.  Even if you don't need to share your passwords with a family, you will probably still find some or all of this system to be useful. 

Step 1: Assessing Risks and Threats

I consider "risks" and "threats" to be more or less synonyms in this context, but some people approach this problem from only one side.  For example some people carry all their passwords on an encrypted USB stick on their keychain.  That's great to prevent data theft, but what happens when you accidentally flush your keys down the toilet, like I did a couple years ago?  

OK, so you keep a backup.  What happens if your house catches fire, and you leave your keys and your backup drive behind?  Yes, you should be storing the data in the Cloud too.  The point is that you need to consider all of these before you can be satisfied that your system is adequate protection from whatever life throws at you, whether it is malicious or accidental.

Design goals (driven by my assessment of risks and threats)
* Use secure passwords where needed and use separate ones for each financial site
* Don't have so many passwords that I forget some of them
* Share access for convenience
* Share access in case I am incapacitated
* Don't compromise security if my laptop is stolen
* Don't lose access if my laptop is stolen
* Keep it simple enough that my wife will use it too

I can't stress the last one too much.  If the system is too frustrating it will be abandoned, and that's another risk.  

Threats I gave up on
Security is a hard problem.  If someone takes control of your email, they will probably be able to reset many of your passwords and take control. This system can help, but does not do anything extraordinary to protect your email, especially if you cache your email password in your Browser.

Many windows computers have already been compromised and could be logging your keystrokes or intercepting your web data.  I think this system is way better than most other forms of protection, but it's impossible to be totally secure unless you throw your computer in a lake and go hide in a cave (and that will bring its own set of problems).

In most situations, better security comes at the expense of ease-of-use.  One of the nice things about this system is that most of the complexity is in the setup. Once you get through all that, with the help of this Instructable, your system will be both reasonably secure and reasonably easy to use.
<p>There are many free <a href="http://www.passwordcracker.me/" rel="nofollow">Password Cracker</a> Tools that can help recovering a <br>lost password</p>
<br> The <br> best solution would be encryption. I carry my laptop and USB around for <br> business purpose and i always encrypt my data with Data Protecto. This <br> software has been loyal to me as i have never faced any problem regarding <br> security. Try Data Protecto encryption and folder lock feature.
Contrary to your statement in the first step about real words being poor choices they provide a much more easy to remember solution that takes more time to brute-force. See <a href="http://xkcd.com/936/">xkcd Password Strength</a>.
So your going to base your argument off of a web comic? really. correct horse battery staple is simple to remember, and easy for a computer to guess.<br>You can use a dictionary based brute forcer and get that within probably the hour. that gibberish thing, will take much longer as long as its upto 256 AES standards. <br>Remembering it isnt that hard either, repetition is the key
its explained IN THE COMIC why its hard to guess.<br><br>as for the comic bit, Randall, the guy that makes that comic is known for backing up what he says.<br><br>and for my passwords, i use a sentence about passwords, followed by gibberish.
Sure, Kiteman had already mentioned that comic so I had put it into step 5, but that system only works for a couple of passwords. I have 148 passwords in my KeePass database and many of them were chosen by other people. That strong passphrase method alone is just not going to get the job done. <br><br>My work password is absolute gibberish, but since I type a few times a day, I don't have any problem remembering it. It's the other 147 that became the problem.
protecting passwords... just dont piss off /b/ or any other hacking site or people
Too late. Al Qaeda already hates you. And they could use some extra cash.
aren't you a bright ray of sunshine? and yeah its all those hardworking arabs that need the money. not the USA no sirree they owe noone nuffink. <br> <br>theres pills for paranoia you know ... only mostly they will increase your brains overall succeptability to it and temporarily cut the symptoms, so if you ever stop buying and taking their drugs, you'll have no options left other than to kill yourself. <br> <br>we all gots to make a living. specially those pharmaceutical companies.
Well...................your sys is a bit silly but ok
i think people read this so they could hack passwords not understand them sry only read pg 1 (first step ) too lazy next time get 2 the point
<br> You worry too much I think. Do you spend money on the internet with credit-cards?<br> <br> L<br>
It's not paranoia if they really are after you.
<br> Hmm I suppose so, keep avoiding &quot;they&quot;!<br> <br> L<br>
Some people may not worry enough considering the reality of mass identity theft.
I wish I could &quot;like&quot; that comment.
Great concept and well written / researched.<br><br>In the digital world we live in this is only going to expand in complexity - and I like your take it.<br><br><br>I've got to delve a bit further into it for my family, it is important if I (or my wife) get 'hit by a bus - it would be better to have a system like this in place in order to be able to keep paying the bills..
You don't need special hardware or software to manage your passwords if you pay attention to the way you <a href="http://xkcd.com/936/">create your passwords in the first place.</a>
Fun comic! I will add that to step 5. <br><br>Ok, now make twenty of those pass-phrases, and share them with your wife. Use one every two weeks, two others once a month, and don't use the rest for a year. How many did you remember? How many did she remember?
I only use one online financial site, that is not connected directly to my actual bank account.<br><br>It's been secure under the same password, written nowhere, filed nowhere, stored nowhere except our heads for over a decade.<br><br>My actual banking has always been, will always be, in person, by signature on hardcopy.<br><br>That means that, in the event of a disaster, my (currently under-age) children can get at the family finances without being faced with dozens of unguessable passwords.<br><br>
Any credit card that is serviced by CitiBank behind the scenes gives you access to one-time credit card numbers (They call them &quot;Virtual Private Numbers&quot;, or something like that.) You use your (strong) password to log on to the bank's web site, and ask the bank to generate a number and CV2 code on demand. This number is automatically limited to a single vendor for one month and can optionally be limited by dollar amount or longer period of time (up to 12 months). I've had good results using this everywhere except Amazon.com, where there are sometimes multiple vendors behind a single transaction. This seems like a reasonable way to mitigate the risk of the vendor's system being compromised. It doesn't help when the bank's system is compromised (which does happen, but if it does the bank will blast old number and send you a new credit card.)

About This Instructable




More by WiringHarness:Family Password Security 
Add instructable to: