Jul 24, 2013

A Password Diversification Plan

(TLDR)

You shouldn't be using the same password everywhere You know this. Everytime some popular site gets hacked and millions of passwords are lost there's a flurry of news stories telling you never use the same password twice. There's even a xkcd comic about it.

But let's face it, if you are a reuser, this can be a pretty daunting task. It's like getting in shape or losing some weight: it's not something that's going to change overnight. It's going to take some time to switching all your passwords.

With that in mind, here's a plan you can use to move away from password reuse at yuor own pace. As a side effect, it should also get you in the habit of using stronger passwords and make it easier to remember to occasional change your passwords..

Pick a password manager

Instead of trying to remember multiple passwords, you should use a password manager. I like keepass, but there are others available. Pick one and start using it. If you don't like it switch to another one. Here are the important features:

  • Cross platform - it should work on all your devices which are likely to prompt for passwords
  • cut&pasting passwords - the plan is to eventually start using long passwords you can't possibly remember, so being able to copy the passwords into your clipboard and paste them into the password field is very useful
  • random password generators

Pick a password for the password manager's database. Use a different one from your normal password, since you're getting out of the habit of using the same password everywhere. Try to make it longer than your normal password.

Then enter your current reused password as the first entry. The manager most likely has a 'copy and paste password to the clipboard' feature. For a day or two, get into the habit of copy&pasting your password from the manager instead of typing it manually.

Set up Dropbox account

You can use Dropbox (or an equivilent service) to distribute your password database across multiple machines and devices.

If you're setting up a new account, don't reuse your default password. If you already have a Dropbox account, change your password. Add the new or updated password to the password manager.

Copy your password database into the shared directory. Make sure it's not in a publicly accessible folder. Now you can access your password database from any machine or device you can access with Dropbox

If your password manager supports keys, add key support, but don't store the keys on Dropbox. This way if Dropbox is hacked and your database is compromised, your database is still safe since the meenie weenies will not have your key.

Start Changing your passwords when visiting sites

If you visit a site and can log into a site with your default password, find the place on the site that'll let you change the pasword and then set it to a strong password and it to your password manager.

Try to change one or two accounts a day in the beginning, and then ramp up as you get more comfortable with the process.

When adding the new entries in the pasword manager an expiration date of something like 3 months. This is to also get yourself into the habit of changing your passwords as well.

Learn to love the password recovery pages

The first couple times you add a password into the manager, you may screw it up and need to recover your password for the site. This is a hassle, but for most sites it's not really that big a deal so that let that scare you off from changing your passwords.

Still, until you've changed a couple passwords, it might be good to hold off on switching the passwords for important services like email, which would be more disruptive if you had to have the pasword reset.

Backup your password database

After the first week or so, backup your password database to a USB drive or burn it to the CD or export the database to a CSV file, print that out and store it in the safe deposit box in your fallout shelter with your lifetime supply of canned creamed corn. Whatever your comfortable with. The important thing is you make the backup.

Also set up some sort of weekly reminder to update the backup.

Start using different usernames for new sites

If you're also using the same username for all your accounts, you could also start using differnet usernames as well to make it more difficult for folks to track you between sites. Your password manager should have a place to store your username, so you could cut&paste that field in addition to your password.

Start deactivating unused account

You probably have lots of accounts that you never use. Instead of changing the passwords for these sites, I suggest closing out the account entirely. Pull down whatever data you want to save from the site, then change your password to something random,and don't bother adding it to your password manager. Then deactivate the account.

Bacn is a good source of reminders about accounts you may want to close out.

After a site's been hacked

When an online service you're using is hacked, you should update your password on the site right away, making it more random if you already aren't using totally random passwrds.

You should also use this oppurtunity to look around and see if there's some other more secure site that you could be using instead, or if your technically inclined, if it's now possible for you to run a local version of this service on your own servers.

Change passwords that are expiring

Since you've been adding expiration dates to the password entries, when the manager starts warning you of an impending expiration, go ahead and change the password on the site. By this time you will have been using the manager for a few months, so try making the password longer and more cryptic. The password manager probably has the option of creating random passwords for you, so try that out. You should be very used to cut&pasting your passwords, so it shouldn't matter to you much by now that you can't remember the password.

Summary

  • Don't use the same password everywhere
  • Use a password manager - back it up regularly
  • Move away from using your reused password slowly at your own pace
  • Close out unused sites that are using the reused password
  • Set expirations on the passwords so you'll remember to change them regularly
  • Moving to more secure sites / self-hosting after sites are hacked.