After reading this article, I went and changed all of my passwords. I usually read security articles like this and skim over them…feeling a bit bummed that it happened, but not really taking it seriously. This one was bad. Take these few highlighted quotes from the early part of the article:
In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter.
But this is more interesting, as he explains the path that led to the hacking.
But what happened to me exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification.
What ends up being revealed from this article is that this was a social engineering attack. It wasn’t really a “technical” vulnerability… it was how the customer support representatives let up information that allowed others to recover sensitive information on another site. But what struck me the most as the biggest problem (and illuminated in that first quote), was that all of the accounts were tightly coupled.
Before I read this article, I basically had two passwords. I would guess that many of you reading this also have a small number of passwords that you use on every site. I had one “secure” password that I would use on a small number of sites I trusted, and a “insecure” password I would use on sites I was skeptical of. This is not a very good strategy. The problem here is essentially very similar to that in the article–all of my accounts are tied together. If one insecure site was hacked, then my password for most sites on the internet was released. If one of my secure sites was hacked, then my password for all of my important sites was leaked. Either way, not a very good scenario.
Security vs. Convenience
The essential tradeoff at stake here is security versus convenience. One one side of the spectrum is the most convenient, which is having one simple password that you use for everything, and this is the most insecure. On the other end of the spectrum is using a password manager like 1Password… but then you don’t even know any of your passwords, and you can’t log in on a computer that isn’t your own without a browser extension or a clunky iPhone app.
I tried a password manager for a bit, but it was too inconvenient for me. I am looking for a balance between security and convenience–the convenience I want is to be able to know my own passwords! I remember I had a password manager storing my password for my bank, and I wasn’t able to log in from my phone.
Here is a new way to manage your passwords, and this is what I am doing now. I am using rule-based passwords. Rule-based passwords mean every site has a unique and “strong” password, but that it is extremely unlikely for one leaked password to compromise all of your passwords. Yes, a hacker could in theory try and figure out your rule, but this is extremely unlikely considering you can have any rule you want, and that most password leaking would operate on a scale where it is not time-effective for a hacker to try to look at each password individually.
Essentially, my online presence is orders of magnitude more secure since all of my passwords are different. In my opinion, this is better and effectively as secure as having 30 character passwords I don’t know. (The weak point right now is Gmail, and I am using two-factor authentication for that.)
How to Make A Rule Based Password
1. Pick some base word. It doesn’t have to be an english word; it could be an acronym.
2. Add several numbers (help satisfy password rules)
3. Construct a rule based on the site name. It could be something like the 2nd and 4th letter of the site name. The last letter and the number of letters… anything as weird as you would like. A more confusing rule is not helping you that much… the biggest gain is having any way to separate your passwords. Use these letters in caps.
For example, lets say my word was “eraser” and my numbers were “931” and my rule was 2nd and 4th letter. Then my Facebook password would be
My Twitter password could be:
I’m telling you… this scheme is better than the two passwords you are using on every site. And I’m telling you… it’s way more convenient than a password manager. That paranoia is not helping you very much.
So that is my recommendation on how to improve your passwords. Have other ideas? Let me know in the comments. What other ways can you have strong passwords that you can remember?