This morning I find myself determined to write a blog post. I’ve been up since 7, working on ManaNation, and as I finished a small (but important) WordPress tweak I felt compelled to blog.
So after I tried to log into this WordPress site using the standard array of passwords I go digging through my email. Sure enough there was a password reset at some point, for some reason, so I have to use this to get in.
Enough stupid monotony for you?
Well it is passwords I want to discuss. After the Gawker database was hacked, I went through a fairly sizable security rehash and have started using a password storing system. To some it seems paranoid and a waste of time as I fumble for passwords, to others it seems a little over the top (usually when they see my 128 bit password get copy and pasted into the login field.)
But I regard it as smart security in the modern age.
No, I’m obviously not a hacker target. I agree with you there. But I’m also not a car-jacking / house-robbing / identity-thieving target either. Being a target is not something which is part of this equation. If I waited until I was a target, it would likely be too late.
So I use the open source KeePass app, storing the encrypted file on my dropbox, so that I am able to access it via my phone. This is a new piece of technology and is still proving troublesome as I have had a few failed attempts to get the file open.
I think my biggest regret in this process was changing the secure passwords I already knew. I used a password for my online banking which was, for all intents and purposes, secure. It was alpha-numeric, with mixed case, and symbols included. I had it memorized so I was able to use it for logging in via my phone. But when I went through and did a massive rehash of passwords, I felt compelled to change it.
It hadn’t been compromised. It wasn’t a weak password. I had simply been using it and decided it was time to change.
There are cases to be made for rotating passwords, such as in corporate settings, etc. The longer a password is in effect, the longer time a hacker may have access to systems of yours. So when it gets changed, the hacker has to get in another way. But when it comes to something like banking, a secure password should be a secure password. Until proof of intrusion, you don’t really need to rotate it.
I made a very smart decision a few years ago. And that is, I have standard passwords I use on the web. Four or five pass-phrases which I use when logging in and can’t remember what the password is. However, I use one password for logging into my email, and only for logging into your email. In some ways, your email is more critical to your online security than anything else. It’s the castle, if a hacker gains control of your email, then he gains control of your digital life.
So when the Gawker database was hacked, I was only mildly affected. My email was secure, it was all the ancillary logins which mattered, things like online stores, services like Rdio.com, etc.
The password storage system is both useful and annoying, I use an absurdly strong encryption and comedicly long password to get to it, all to protect about 20 passwords which are used occasionally. It’s like carrying a comedically large key ring, and keeping an encrypted guide book to help me find the right password.
And there we have it, a meandering, kind-of-on-topic, blog post about passwords. But hey, it’s a blog post!
What iPhone app are you using for KeePass and Dropbox? I’m using MyKeePass but I don’t think it can access a private Dropbox folder.
I starting using two-factor authentication for gmail. I feel like a secret agent now.
I’m using the Android apps for both. And I have to download the password file to the phone off of my dropbox, so it is only accessing a local copy of it.