Perfect Password Process
The problem that I’m trying to solve … using a different, strong password for each online account (or more precisely managing it, so that it doesn’t go belly-up when I want to log in to site X, Y or Z).
A quick audit of my (non-work related) online accounts (e.g. banking, DNS, email, FTP, ISP, shopping, social, utilities, web hosting, web services, etc.) reveals that I have 54 accounts. There’ll be plenty that I haven’t counted here, these are the main ones that I use a lot.
Up to now, I used five different passwords across all these accounts. Very bad. If one password got compromised multiple accounts were at risk. But, I can’t possibly remember 54 passwords. And, I don’t want to write them down because it wouldn’t be secure plus I could lose the document and have log-in hell.
I now use the following components:
- TrueCrypt (free open-source disk encryption software for Windows, Mac OS X and Linux)
- GRC’s Ultra High Security Password Generator (generates a unique set of custom, high quality, cryptographic-strength password strings)
- A spreadsheet (or, if you only have a few accounts a text document will do)
- A USB stick (if you own multiple machines)
- Firefox (to store usernames and passwords safely and securely using Firefox’s Password Manager)
Here’s a run down of how I now have a different, random, ten-character password for each account I use and how I can still conveniently log in to each site just as quickly as before (when I had only 5 passwords to remember).
- First, get to grips with TrueCrypt and how it functions on your OS. Once you’re OK with it create an encrypted container on your desktop (or anywhere you want).
- Next, in a spreadsheet do an audit of all your accounts. If you’re going to do this over a few days there’s no need to enter the usernames and passwords yet. You just need to have a list (email accounts, eBay, PayPal, Amazon, etc. etc.).
- Once you have all accounts listed in the spreadsheet you can populate with your username and password data then save to your TrueCrypt container. Once your container is unmounted it is fully encrypted.
- Then, when you’re ready, mount your container, re-open your spreadsheet and methodically change each password to something random (I use a ten-character string from GRC’s Password Generator to generate a random password).
- Each time you change a site’s password in your spreadsheet, visit the site in question and change the password in your profile to the random one generated by GRC (and saved in your spreadsheet) and, save your login info in Firefox’s Password Manager.
- Once all passwords have been changed and stored in FF save and close the spreadsheet and unmount the TrueCrypt container.
- If you own multiple machines move the encrypted TrueCrypt container to your USB stick, install TrueCrypt on your second machine and use the spreadsheet to update FFPW.
OK, perfect is stretching it a bit, however, it’s damn near perfect for my use.
Pros
Different password for every account (nice security policy to have)
Platform independent (use it across your Macs, Linux and Windows boxes)
Encrypted when container is unmounted (AES-256 Rijndael cipher)
Fully portable (use it at home and at work)
Fully open-source (if you use OpenOffice in place of Excel)
Cons
Don’t forget the password to the TrueCrypt container of you’ll have your very own version of Deliverance (up the creek without a paddle, so to speak)
Unless you run TrueCrypt in ‘traveller mode’ you’ll need to have TrueCrypt installed to access your password spreadsheet. This is not a problem for me as I won’t access anything online which requires a log in, when I’m on an public or stranger’s machine.
Don’t have multiple versions of the same spreadsheet or you’ll have problems. One spreadsheet only. Move it, don’t copy it. Or, as I do, use a USB stick and don’t keep copies on your local machines. You can keep a backup (or the original if you wish) online because it’s very strongly encrypted in the event it does fall in to the hands of others.
Remember, no system can be 100% secure and devoid of risk. It’s a question of managing risk vs. convenience. My process is secure enough for me whilst remaining convenient. It may not be secure enough for your purposes.
Comments?
Please leave a comment or subscribe to the feed and get future articles delivered to your feed reader or inbox.
Comments
Hi Andrew,
Thanks for your suggestion; no, I hadn’t seen it. I’ll check it out.
Actually, I was considering IronKey. It’s recommended by Steve Gibson in episode 135 of SecurityNow. I’m a big fan of Steve Gibson; if he thinks it’s secure then it’s about as secure as anything available.
I am
Hi James
Have you tried this instead of the encrypted spreadsheet, a portable password keeper that is encrypted.
http://portableapps.com/apps/utilities/keepass_portable
The oher features are interesting and will be adopting some of them.
Regards
Andrew