(resume update)
[pwan.org.git] / content / security / data_diversity_plan.rst
1 A Password Diversification Plan
2 ###############################
3
4 :date: 2013-07-24
5 :tags: security
6 :category: security
7 :author: Jude N
8
9 (TLDR_)
10
11 You shouldn't be using the same password everywhere You know this. Everytime `some popular site gets hacked`_ and
12 `millions of passwords are lost`_ there's a flurry of news stories telling you `never use the same password twice`_. There's even a `xkcd comic`_ about it.
13
14 But let's face it, if you are a reuser, this can be a pretty daunting task. It's like getting in shape or losing some weight:
15 it's not something that's going to change overnight. It's going to take some time to switching all your passwords.
16
17 With that in mind, here's a plan you can use to move away from password reuse at yuor own pace. As a side effect, it should also get you in the
18 habit of using stronger passwords and make it easier to remember to occasional change your passwords..
19
20 .. _some popular site gets hacked: https://duckduckgo.com/?q=passwords+stolen&t=canonical
21 .. _millions of passwords are lost: http://www.infosecurity-magazine.com/view/32087/50-million-livingsocial-passwords-stolen/
22 .. _never use the same password twice: https://duckduckgo.com/?q=never+reuse+passwords&t=canonical
23 .. _xkcd comic: https://www.xkcd.com/792
24
25
26 Pick a password manager
27 -----------------------
28 Instead of trying to remember multiple passwords, you should use a password manager. I like keepass_, but `there are others`_ available. Pick one and start using it.
29 If you don't like it switch to another one. Here are the important features:
30
31 - Cross platform - it should work on all your devices which are likely to prompt for passwords
32 - cut&pasting passwords - the plan is to eventually start using long passwords you can't possibly remember, so being able to copy the passwords into your clipboard and paste them into the password field is *very* useful
33 - random password generators
34
35 Pick a password for the password manager's database. Use a different one from your normal password, since you're getting out of the habit of using the same password everywhere. Try to make it longer than your normal password.
36
37 Then enter your current reused password as the first entry. The manager most likely has a 'copy and paste password to the clipboard' feature. For a day or two, get into the habit of copy&pasting your password from the manager instead of typing it manually.
38
39 .. _keepass: http://keepass.info/
40 .. _there are others: http://lifehacker.com/5042616/five-best-password-managers
41
42 Set up Dropbox account
43 ----------------------
44 You can use Dropbox (or an equivilent service) to `distribute your password database`_ across multiple machines and devices.
45
46 If you're setting up a new account, don't reuse your default password. If you already have a Dropbox account, change your password.
47 Add the new or updated password to the password manager.
48
49 Copy your password database into the shared directory. Make sure it's not in a publicly accessible folder.
50 Now you can access your password database from any machine or device you can access with Dropbox
51
52 If your password manager supports keys, add key support, but don't store the keys on Dropbox.
53 This way if Dropbox is hacked and your database is compromised, your database is still safe since the meenie weenies will not have your key.
54
55 .. _distribute your password database: http://lifehacker.com/5063176/how-to-use-dropbox-as-the-ultimate-password-syncer
56
57 Start Changing your passwords when visiting sites
58 -------------------------------------------------
59 If you visit a site and can log into a site with your default password, find the place on the site that'll let you
60 change the pasword and then set it to a strong password and it to your password manager.
61
62 Try to change one or two accounts a day in the beginning, and then ramp up as you get more comfortable with the process.
63
64 When adding the new entries in the pasword manager an expiration date of something like 3 months.
65 This is to also get yourself into the habit of changing your passwords as well.
66
67 Learn to love the password recovery pages
68 -----------------------------------------
69 The first couple times you add a password into the manager, you may screw it up and need to recover your password for the site.
70 This is a hassle, but for most sites it's not really that big a deal so that let that scare you off from changing your passwords.
71
72 Still, until you've changed a couple passwords, it might be good to hold off on switching the passwords for important services
73 like email, which would be more disruptive if you had to have the pasword reset.
74
75 Backup your password database
76 -----------------------------
77 After the first week or so, backup your password database to a USB drive or burn it to the CD or export the database to a CSV file, print that out and store it in the safe deposit box in your fallout shelter with your lifetime supply of canned creamed
78 corn. Whatever your comfortable with. The important thing is you make the backup.
79
80 Also set up some sort of weekly reminder to update the backup.
81
82 Start using different usernames for new sites
83 ---------------------------------------------
84 If you're also using the same username for all your accounts, you could also start using differnet usernames as well to make it
85 more difficult for folks to track you between sites. Your password manager should have a place to store your username, so you could cut&paste that field in addition to your password.
86
87 Start deactivating unused account
88 ---------------------------------
89 You probably have lots of accounts that you never use. Instead of changing the passwords for these sites, I suggest closing out the account entirely. Pull down whatever data you want to save from the site, then change your password to something random,and don't bother adding it to your password manager. Then deactivate the account.
90
91 Bacn_ is a good source of reminders about accounts you may want to close out.
92
93 .. _Bacn: https://en.wikipedia.org/wiki/Bacn_%28electronic%29
94
95
96 After a site's been hacked
97 --------------------------
98 When an online service you're using is hacked, you should update your password on the site right away, making it more random
99 if you already aren't using totally random passwrds.
100
101 You should also use this oppurtunity to look around and see if there's some other more secure site that you could be using instead, or if your technically inclined, if it's now possible for you to run a local version of this service on your own servers.
102
103 Change passwords that are expiring
104 ----------------------------------
105 Since you've been adding expiration dates to the password entries, when the manager starts warning you of an impending expiration, go ahead and
106 change the password on the site. By this time you will have been using the manager for a few months, so try making the password longer and more
107 cryptic. The password manager probably has the option of creating random passwords for you, so try that out. You should be very used to cut&pasting
108 your passwords, so it shouldn't matter to you much by now that you can't remember the password.
109
110 .. _TLDR:
111
112 Summary
113 -------
114
115 - Don't use the same password everywhere
116 - Use a password manager - back it up regularly
117 - Move away from using your reused password slowly at your own pace
118 - Close out unused sites that are using the reused password
119 - Set expirations on the passwords so you'll remember to change them regularly
120 - Moving to more secure sites / self-hosting after sites are hacked.
121
122