Sunday, February 16, 2014

I will use this password only once

Source Flickr: Lou_Lou Chan
Sad to see that people still use a single password for all their online accounts. Every day we read about accounts being compromised, major web sites being hacked and personal details stolen.

There's not a 100% secure way of securing web sites, there will always be flaws in the system that are beyond your control (like the latest Target credit card heist). But as a user, there are a lot of things you can do to ensure that whenever a site gets compromised, you don't have to worry your other accounts are in danger.

Single email address per account

First of all, if you have a Google account there's a nice trick you can do that your have only one email address assigned with an online service. A regular Google mail account looks something like <username>@gmail.com. But when you register with an online service, you can enter <username>+<servicename>@gmail.com. So, whenever this service gets compromised, you can watch suspicious emails entering on <username>+<servicename>@gmail.com and filter them out.

If you use another mail service (or have a mail service of your own) you might want to use a wildcard to accept emails, so whenever you signup for an account you can just use <servicename>@yourmail.tld.

Use one password per account

Secondly, I can only urge you to use a password tool like 1Password, LastPass or KeePass. Because you only need to remember a single password, the password for the tool itself and from that point on, you can have a different password for each account you create.

I use 1Password myself and I'm pretty happy about it. I now have for each account a different password, and I use it even for generating (and remembering) database passwords, keeping track of my loyalty programs and even store hash keys I use to connect to other servers using SSH or SSL.

1Password interface: clean, very convenient and secure
The nice thing of 1Password is it integrates with your OS and directly with your browsers. So whenever you open a website that requires authentication, you just click the plugin in your browser, enter your password and have it fill out the form. Just that easy.

But also using it for your databases, credit cards, loyalty programs and whatever thing you need to remember securely. And you save it securely with your "master" password on your computer. Just make sure this single password is the most difficult one to remember. Using a quote from a book or a movie is always a great way to secure things with a passphrase, especially when you combine 2 quotes in different languages. This ensures no one has direct access to those passwords when your computer gets stolen. I'm saying "direct access" and not "no access" as people can still try to break in once they have direct access to your computer.

Limitations on the web

Even when I'm using a password tool to generate automatic passwords, I sometimes stumble against web sites that have strict regulations on how passwords should be made. You might want to think twice using a service like that because for passwords you should be able to use any character at your disposal and as long as you want it to be.

For instance Microsoft has a limitation of 16 characters for passwords on their services.
16 Character limit on passwords by Microsoft
Other websites have even limitations on what characters you can use, which might indicate they're not even hashing passwords on their services. Another reason you want to have a password stored there that's not used anywhere else.

Your web applications

When you build a web application with authentication, be sure to allow people use whatever password they want, even if they want to paste in the whole Macbeth book.

On the backend you might want to use PHP's password_hash that's now being provided by PHP 5.5. If you haven't upgraded yet to PHP 5.5 yet, check out Anthony Ferrara's talk on password hashing, he even has made a video of it.

Conclusion

Keep your passwords safe, secure and use them only once! On the backend you need to ensure that you keep those passwords secure and difficult to break. And allow all input!
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License.