February 2017 – nick-zimmerman.com

In my quest for better online security, I have been working on a personal password audit. I have been going through all of my accounts and changing the passwords. In the process, I am insuring that each account has a unique password. How will I remember all those passwords? How will I make sure I do not repeat myself? I have used a password manager for years. It makes it a lot simpler to use strong passwords and not have to remember them all.

My password manager of choice is LastPass. I chose it initially because of the free version, support for two-factor authentication, and the approach used to secure their customer data. Now that LastPass has actually been hacked and had their customer data stolen, I am even more confident. Even though the encrypted data got into the wild, the good practices LastPass uses to protect customer data has prevented anyone from actually compromising that data.

LastPass lets you access your passwords on virtually any device, as well as store secure notes. The convenience of having my passwords available to me on any computer, phone, or tablet is amazing. I am a huge fan of the sharing ability that is built into LastPass. I can securely share account credentials with my wife without having to worry about letting her know every time update the password. LastPass syncs the shared account information to her LastPass account whenever I make a change. She cannot actually view the password, unless I authorize it when I share the password with her.

Another great feature of LastPass is the ability to evaluate your passwords for security. It will let you know if you are using a duplicate or weak password. It is always good to have something keeping you on your toes when it comes to security.

Although I have a history of using strong passwords, I am starting to use the LastPass password generation feature more frequently. Since I no longer need to remember the password, it makes a lot of sense to use a string of 30 or more randomly generated characters and numbers.

Yes, I said 30 or more. Length is the best defense against password cracking attacks. The longer the password, the harder it is to figure out, even if the password is using plain text words. It strictly has to do with the number of possible combinations that are created. I try to vary the length I use to make it even more challenging for someone to crack my other passwords based on a single compromised password.

If you do not want randomly generated passwords, and really want something that you can remember, you can use a technique called haystacking. Essentially you pick some words to use for your password and add some padding characters and numbers. Make it a pattern you can remember. This will help you create a long meaningful password that you can remember, which is important for your master password for a service like LastPass. If you really want to geek on the math of it all or learn more about haystacking, you can get started with this Gibson Research Corporation article on haystacking and complexity.

Do not use information in a password that you share with anyone or is public record. Just like Google can make some good guesses about what you like based on your browsing habits, it is not terribly difficult to scrape together data from your social media and public records to generate a list of probable passwords. If you make up a password that is just a combination of things like your child’s birthdate, favorite sports team, and your favorite color, you have made it fairly easy for a password cracker to narrow the possibilities.

In my opinion, the best thing to do is take some time to install and use a password manager so you have no reason not use long, complex passwords. For your master password, take a few minutes to learn about haystacking and create something unique to keep all your passwords secure. Please do not use the same password for every site. Take some time to do a personal password audit to make it harder for someone to compromise your online security.

I have been an online citizen since the days of dial-up bulletin board systems (BBS) circa 1983. I found my way to the internet a few years later. I decided fairly early on that being online was really like being in any other public place, much like going to a park, mall, or theater.

I believe there is a certain amount of privacy surrendered by putting myself in a public place. My appearance and activities in a public place are visible to others that may be present. I do not believe that appearing in a public place grants permission for people to inspect every aspect of my life.

I have become increasingly dismayed about the amount of surveillance that is done on the internet by both private and government organizations. I am quite comfortable with the idea that what I post on my public blog, Facebook, and Twitter are entirely in the public eye. I am not comfortable with my every communication and activity being inspected by organizations or persons that are not directly involved.

Net neutrality is also an issue that has concerned me for quite sometime. I believe that the internet should show no preference to traffic. Data packets are data packets. They should not be judged by who sent them or where they are going. The companies that route the traffic through the internet should not be able to give special treatment to certain types of traffic.

Given the current political climate in the United States and the growth of efforts to overturn net neutrality, I decided it is time to start being more cognizant of my online security. Over the last couple of months, I have started to take some steps to better secure my online presence and communications. I am certain that my efforts are not perfect, but I plan to share my experiences so that others may benefit.

nick-zimmerman.com

Month: February 2017

Personal Password Audit

Online Citizen