The pain of passwords

This post may get a bit rambly and is kind of self-indulgent, but some might find it an interesting story. There’s a tl;dr at the bottom.

I use a password manager to manage passwords to the majority of services and websites I have accounts with. Most of these sites have unique and complex passwords that I have no hope of remembering. I like it this way.

Password managers can’t help with everything. You still need to remember the password/phrase to unlock the password manager, and the phone and/or computer you access it from. If you host the password manager’s data file on a cloud storage service, like I do, you need to remember your password to log into that too. Further, given that, that in my case, my cloud storage service of choice, ownCloud, is self-hosted, I need to remember all the passwords pertaining to the server that runs that service. This includes local Linux passwords and SSH key passphrases.

Now, sure, I have a copy of the passwords on removable storage somewhere safe so I’m not dependent on all this infrastructure. But guess what? That copy is PGP-encrypted. With a passphrase. That I have to remember.

So let’s recap. The passwords I currently have to remember include:

  1. Local workstation computer password
  2. Smartphone PIN/password/pattern
  3. Password manager passphrase
  4. Cloud storage password
  5. GPG key passphrase
  6. SSH key passphrase
  7. Server login password

Now I’m going to put aside the questionable design decisions I’ve made here; I grant that I could just use a single encrypted password file on a USB key (with backups elsewhere), that I can plug into any computer I trust, and access my passwords. And that’s great for a fallback which I could easily implement, but it’s not exactly something I want to do on a day-to-day basis. Let’s say I simplified this system, though, so I wasn’t worrying about the cloud-hosting of the file. I’d still need to remember 2-3 passwords:

  1. Local workstation computer password
  2. Smartphone PIN/password/pattern
  3. Password manager passphrase

Yes, that’s better, and more manageable. Say, though, that I have multiple computers. Do I use the same passwords for all of them, or should I be a good security-conscious person and use different ones everywhere?

I will tell you right now that in the longer list of passwords above, several of those services shared a password. I hate remembering passwords, as everyone else does, so naturally, I try to remember as few as possible and put as many as possible in my password manager. It got to the point that the aforementioned shared password was one that I’ve used for a long time. By long, I mean at least 10 years. Now before you start yelling at me for being careless and insecure, in my opinion, it was a pretty good password. It was reasonably long, contained non-dictionary words and different character classes, and for the most part, the services that used it were not directly exposed to the internet, so you’d likely need possession of one of my devices to try to crack it.. I had no reason to expect that it was compromised.

Monday last week, I typed that password into a group chat. You know how it is; it could happen to anybody. You see your computer screen is blank, and, given how unlikely it is that you’re within the 5-second grace period, you assume your computer is locked, so you sit down, and blindly type in your password while your screen wakes up. You hit Enter, switch to the window you want to be in, and get on with your day. Then your colleague leans over quietly and says “perhaps you want to delete that message you just posted,” and, confused, you take a look at the channel, and feel the ground fall out from under your chair.

Not just because you remember that the password you’ve been typing from muscle-memory for a decade without really thinking about can actually be interpreted as a rather juvenile set of words that your present self would never use, but also because now you’ve got a problem: you have to relearn a new password or passwords, for the machine you type the password into about 50 times daily.

Bother.

Because of the nature of passwords, ones like this one have existed since before the jury came back on what a good memorable password looked like. My general passwords that I’d drop into a password manager look something like this:

$pyf|?u?'yB7pCNW~$y:yv;Kc*^<c,%U

The length I use has increased over time, as I’ve found less occasion to have to type these manually. There’s no way I want to remember a password like this, let-alone have to type it, fingers moving all over the keyboard, hitting Shift every second character. I don’t even want to contemplate having to regularly type something like this into my smartphone.

So after some deliberation, I took a leaf out of Randall Munroe’s XKCD comic

password_strength
Pictured: A comic contrasting the struggle of memorising low entropy passwords like “Tr0ub4dor&3” with high entropy passwords like “correct hors battery staple” (CC-By-NC Randall Munroe, XKCD 936)

This, combined with a handy shell script, written by a past colleague, which assembles a password from several words from Linux’s /usr/share/dict/words file, gave me a password that I just had to start remembering. I quickly set the password on my laptop, while storing it in my password vault accessible from my phone (which I could access with other, different passwords that I already knew and didn’t need to change right now) for the inevitable moments I forgot it.

I probably had to look it up about a dozen times, and about two dozen other times I had to sit at my computer for several seconds while I (a) typed my old password before remembering it had changed, and (b) remembered which words comprised the new one, getting it wrong the first couple of times. So all it all, it’s taken almost a week, but I think I’ve got it embedded in my memory now. I still want to have a backup of it somewhere safe in case I have a lapse of memory, but I’m pretty pleased.

There are still a couple of services that shared my old password that I haven’t changed yet (a reason I was reluctant to publish this post yet, but decided wasn’t a big deal), which I’ll do shortly, after I’m a bit more confident in my memory. My main remaining question is whether I get ambitious and try to use different passwords for each of these services. I suspect that if I leave some time between changing each one, I’ll be able to sufficiently remember them all, but it’s a bit scary to think that I could forget one of them and then be completely locked out. I will consider this further.

In summary: Passwords are hard. Brains are fallible. Computers are the worst.

Tl;dr: I typed my very old workstation password into a work chat room and had to go through the pain of choosing a method to generate and remember a new one, then change that password in all the places I used it.

Advertisements

Online privacy: a tale of irony and contradiction

This is the post that prompted me to start this blog a month ago.

I understand online privacy better than most. Unfortunately, privacy (and security; the two often go hand-in-hand) is often at odds with convenience. I have previously sacrificed convenience over privacy and security in many instances, because the latter two are important to me. Fair warning, this post doesn’t answer how to compromise between the above; it merely highlights my frustrations while trying to do so. Here are some of the more significant attempted compromises I’ve made, and the associated struggles:

Running free and open source software on my Android phone

I’ve had Cyanogenmod installed on my phone since shortly after I purchased it. For the past year or two, I’ve had it installed without any of the Google apps, such as the Play store, YouTube, Maps, Hangouts, Google+, and Gmail. Not having the Play store meant not being able to install any of the apps it offered. Instead, I made do with F-Droid, an app catalogue that exclusively contains free and open source apps.

This encumbered my ability to interact with other people, sites, and hardware. I couldn’t use common chat applications, some social media sites were clunky because I was limited to their mobile web page which is often a second-class citizen to their mobile app, and I couldn’t stream to my Chromecast. Eventually, about a month ago, I caved and installer the Google apps, because the disadvantage of missing out finally outweighed the advantage of knowing with reasonable certainty that my location data, contacts, and other private phone information was safe from third parties.

Facebook

I deleted my Facebook account in 2013 after it insisted on hounding me for personal information regarding my education institutions and place of employment. Initially, it was freeing. I had more time up my sleeve, and knew that even if Facebook didn’t delete the data for my old account, they weren’t getting any new data from me (though possibly from others; see Shadow profiles).

Again, though a couple of months ago, I’d gotten sick of the disadvantages. I’d occasionally get forgotten by people organizing events, because I wasn’t on Facebook to be invited. Many friends were difficult to get hold of because Facebook was one of their main communication media, and when I met somebody new in person and wanted to keep in touch, the first question I got was “What’s your Facebook”? My social life could be enriched, and so, with significant trepidation, I yet again forfeited my personal information to Facebook and started adding friends.

Gmail plus-addressing

I try to sign up to different sites with different email addresses (using Gmail’s plus addressing). This way, if i receive spam to a plus-address, I know which site disclosed that address (this, I admit, has never actually happened).

On January 21, a colleague and I were discussing various web services, and I mentioned that I used Gravatar, which serves up a picture for use as your avatar based on your email addresses, to any website that supports it. My colleague remarked that they were surprised that I, somebody reasonably privacy-conscious, used Gravatar. I considered this briefly. Gravatar works by asking you to supply all your email addresses, and upload one or more pictures, each of which can be associated with one or more email addresses. Then, when you sign up with one of those email addresses to a site that supports Gravatar, the site can send a request to Gravatar which includes your email address, and retrieve a picture that it can then use as your avatar or profile picture.

Gravatar is a free-as-in-beer service. They don’t charge members any money to use the service. Given this, they obviously need to make their money elsewhere, so it’s reasonable to assume they monetise their members, making members the product. Each request that a Gravatar-supporting-site sends to Gravatar likely contains a referrer stating which site made the request. This means that Gravatar could collect a huge database of all the email addresses associated with a member, and all the Gravatar-supporting sites they visit, then sell this information to the highest bidder. Because some of the sites I use plus-addressing on support Gravatar, Gravatar needs to know all thise addresses, making using Gravatar reckless, to say the least, because Gravatar can be used to unify my identities across all sites that support it. I signed up for Gravatar years ago, before I was quite so paranoid, so it hadn’t been subject to my now-more-stringent privacy analysis. Ironically, here I am blogging about Gravatar on a blog hosted by WordPress, who own Gravatar.

Solutions?

So how does one integrate with society while remaining reasonably private and secure? I’ve no idea, but I’m still looking, despite feeling a bit resigned to the reality that sometimes it’s all too hard.