Wednesday, December 29, 2010

New Years Resolution #2: Password Policy

They say there's a syndrome in medical school where med students become temporary hypochondriacs and think they have symptoms of every disease that they study.  Graduate school may be having a similar effect on me, but hopefully in a more productive manner.  However, it's been said that "just because you're paranoid it doesn't mean they're not out to get you" so I've decided to greatly improve my password policy in 2011.

In the past I've had 3 or 4 different passwords of varying strength that I've used for pretty much everything.  That's better than most people (most people only have 1 password for everything), but it's still pretty stupid from a security standpoint.  If one or more of those passwords were ever compromised (and trust me, I'm sure they have been at one point or another), then the attacker (or ex-girlfriend) would have access to pretty much everything they'd need to own me.  Think about how much information you have out there.  Between email, IM, facebook, twitter, banking, bills, student loans.. It's pretty scary.

In 2011 I'm adopting a new policy: unique and reasonably-secure passwords for each and every service.  I'm talking about passwords like this:
Don't use that as your password, BTW.  Since it's posted on the internet, it's no longer secure.

Having long, random passwords that are unique for each service is really the best way to protect your data.  Not don't get me wrong,  passwords suck as a form of authentication by themselves, but it's what we're stuck with for the time being, so it's best to make them as strong as possible.  A hash of the password above would not be found in a dictionary attack.  It would take an unreasonable amount of time to crack with a rainbow table or brute force method.  It is, however, very difficult to memorize a password like that for every service used.  That's where the tools come in.

By using a combination of KeePass, KeePassX, and KeePassDroid I am able to access an encrypted database of all my passwords on all of my devices.  I use Dropbox to securely sync my password database among my devices.

KeePass allows me to generate, store, and organize secure passwords for all of my services.  It also allows me to copy my passwords to the clip board, so I can log into services without having to manually type the complected passwords.  I do try to copy something else to the clip board after logging in, however, so that my password isn't lying around in memory.

Hopefully, this new system will help better secure my data in 2011.  Are there any problems with this scheme?  What is your password policy?

No comments:

Post a Comment