The recent launch of two-factor authentication for Google accounts inspired me to re-evaluate and improve the security of the numerous accounts I’ve accumulated in my time on the Internet.
I’ve always been cognizant of good password practices. Even my very first password on AOL in 1994, while it was rooted in a dictionary word, at least had numbers at the end of it. I’ve never been so blithe as to use “password” as a password, or use things like names and dates. All of my passwords today are what most would consider “strong” passwords — composed of letters of varying case, along with numbers, and not incorporating any dictionary words. However, my password practices could still stand to use some improvement.
My biggest fault is re-using passwords. I’m not so careless as to use the same password for everything, but I will admit that, like most people, I can’t come up with a unique password for every single site I need to register with. I use a family of passwords, which amusingly enough, are all ultimately derived from a password issued to me by Geocities in 1996. I’ve added numbers, swapped and inverted letters, changed case, shifted the pattern left and right on my keyboard, etc. But in the end, all of my accounts are secured by only a handful of passwords. And having a strong password doesn’t protect me against one of those sites being compromised and having a password which is also associated with some of my other accounts fall into nefarious hands.
The most ideal solution to all of this, for me, would be if everyone would just use OpenID already. Google is an OpenID provider, and you can use your Google account as an OpenID identity, either by using the universal endpoint:
Or, if you have a Google Profile, you can use the easier to remember URL to your profile, e.g.
Since I have enabled two-factor authentication on my Google account, by using Google as my OpenID provider, I have now gained two-factor authentication on every site which supports OpenID.
I added OpenID support to Nerdland for exactly this purpose. Now, you can just log in using any OpenID if you want to post comments. I even went so far as to track down and fix a bug in the Wordpress OpenID plugin in order to get this to work. I associated my Google OpenID with my administrator account, and then went into the Nerdland database and altered my account so that no password whatsoever would let me in to my account on the website; I will have to use my two-factor OpenID from now on. (Of course, my account on the server that hosts Nerdland is a different story, which I’ll discuss later).
Sadly, not everyone accepts OpenID for login. In fact, only a very few places (so far, mostly places geared towards techies) do. While I use it wherever possible, I still have to deal with the fact that for now, I will have many accounts that will be secured with just a password. So, what I did was sit down and think about what exactly the highest security priorities are for me. The answers were:
- Online banking
Although it may seem counter-intuitive, even sites like Amazon which I allow to store my credit card data aren’t very high on my list of security concerns. The reason is simple: credit cards have strictly limited liability for fraud. If someone gets into my Amazon account and orders hundreds of dollars in merchandise, it doesn’t really matter that much to me, relatively speaking. I call my bank, report the fraud, get a new credit card with a new number, and that’s that. On the other hand, my checking and savings accounts have no similar protection, so it’s vital that my online banking remains highly secured.
E-Mail is another can of worms. As I said, I use a family of passwords, so obtaining my password to one site only grants access to a limited subset of other sites. But if an attacker gained access to my e-mail, he or she could request password resets from every site that I have an account on, and clean house. And that’s not even to mention the potential for impersonation. Finally, Nerdland is, of course, important to me. I don’t want the website defaced, and I don’t want the server compromised and repurposed as part of a botnet. Plus, in conjunction with the last point, I receive most of my e-mail through Nerdland, and keeping e-mail secure is a priority.
So, I made the decision to keep using my family of relatively secure passwords for most low-importance sites, and focus on securing the linchpins of my online identity: banking, e-mail and Nerdland. Before you comment about it, I am aware of things like LastPass, which could help me generate a unique password for every site I visit. I’m still considering that, but the idea of installing a third-party password management add-on in every browser I use is somewhat off-putting to me.
Securing my on-line banking was simple. I was already using a unique password that was not a part of my standard password “family” and not used anywhere else, which I generated using GRC’s Perfect Passwords. I discovered that my bank offers two-factor authentication by sending an SMS to my phone, so I simply enabled that. I wish they allowed the use of an authenticator app instead of an SMS, since it’s sometimes annoying if the SMS takes several seconds to arrive, but SMS is serviceable.
Securing my e-mail took an extra step. For a long time, I had been averse to the idea of webmail. I preferred using desktop e-mail clients and downloading my mail over POP3 so that I would have a local copy of it. If ever I needed to access my mail remotely, I could always ssh back to my desktop computer and read it that way. But last year, I discovered exactly how much money it was costing me in electricity to leave my desktop computer on all day, even when I was sleeping, or at work, or on a trip. So, I began shutting down my computer when I wasn’t at home and awake, which meant that I could no longer read my personal e-mail remotely. This quickly became annoying, so, several months ago, I began importing my Nerdland e-mail into my GMail account, storing my e-mail “in the cloud”, where it is always accessible, and using GMail as my primary e-mail client.
While GMail itself was secured by the two-factor authentication that inspired this analysis, and while I was already importing my e-mail over SSL, my Nerdland e-mail was secured by just a password, and there was really no way to change that. So, in the interest of security, I generated a new, unique, and very long password, and changed the password of my account on Nerdland’s server to use that password instead. It’s not a password I’ll ever remember off the top of my head, but I won’t ever be using it directly either.
In fact, I don’t even use it to log in to Nerdland’s server. For a very long time I’ve used public key authentication for ssh sessions, largely in the interest of convenience. At one point, there were half a dozen machines that I’d ssh into every day, and using ssh-agent with an RSA key was the only thing that kept me sane. A passphrase-protected private key is in itself a form of two-factor authentication: the key is something you have, and the passphrase is something you know. I consider my private key to be the most important security mechanism I have, so my passphrase is very long, very strong, and is used only for the key itself, and as the passphrase for an encfs partition in which I store unique passwords that I can’t remember, such as the one I set on my Nerdland server account.
What I did do to improve the security of the Nerdland server was completely disable root login and password authentication. There is now no way for me to log into the Nerdland server with even that long random password I created; I must use my private key. I carry my private key on a USB drive in my pocket at all times, so this doesn’t prevent me from using a computer other than my normal desktop to access the Nerdland server should I need to. This drive also holds other important things such the access credentials to my Amazon S3 account where I keep my backups, as well as the separate RSA key that they are encypted with; that’s the main reason for carrying it all the time — if my apartment burns down while I’m away, I can at least get my files back.
Finally, since Nerdland is hosted on a VPS in the Rackspace Cloud, I had to consider securing my Rackspace account, too. I did the same thing that I did to secure the server account: generate a random, strong, unique password and store it in my encrypted partition. I don’t frequently log into my Rackspace control panel, so such a setup isn’t inconvenient for me.
But another thing I had to do with my Rackspace account is kill the “security question”. Security questions, as they are normally used, are a complete joke. Some sites, notably financial institutions, use them the right way, as “one and a half-factor” authentication when you visit the site from a computer that you haven’t used before. But many sites use security questions as a password recovery mechanism, which is terrible. If you can reset a strong password by knowing or brute-forcing the answer to a relatively a weak security question, then your account isn’t very secure at all. So I allowed my cat to walk across my keyboard to generate my security question’s answer. If I’m ever in the position where I’d need to recover my password, I’d rather just cancel my account and start a new one than have a back door like that hanging around.
Now, the vital parts of my online identity are protected:
- My banking by a strong password and posession of my cell phone
- My e-mail by a strong password and possession of my cell phone
- Nerdland by posession of my RSA private key and its strong passphrase
And now I can sleep a little better at night knowing that a database compromise at a site like joes-electronics.com that I registered to buy a cable from in 2004 won’t be able to allow someone to indirectly access my e-mail, or my server, or my bank accounts.
All that’s left is to wait for more sites to either accept OpenID or provide their own true two-factor authentication, and hope that adoption happens sooner rather than later.