Matt Jadud
cv | linkedin | github | bitbucket

safely managing passwords

The first in a series of posts to support family in moving to safer information management practices.

Identity theft is hard to recover from. Banks, governments... they really don't care if someone gets hold of enough information about you to create credit cards and bank accounts in your name. If that happens, you are kinda on your own, and (if things went poorly), you're broke.

How risky is this? If you are my parents, you’ve already been caught in (at least) 3 different data breaches. (Six, for my dad.) I discovered this by using the website https://haveibeenpwned.com/. I entered their email addresses, and haveibeenpwned tells me what breaches their email addresses appear in.

Nifty.

Does that mean passwords were lost? No... maybe... well... in some cases, yes. This is only a concern if you reuse passwords, or generally have insecure passwords. How do you know if your password is insecure? One way would be to go to the UIC Password Strength Tester and try out a few of your passwords. (NOTE: NEVER ENTER YOUR PASSWORD INTO A RANDOM SITE. This is one I trust, but still, you have been warned.) If UIC says your password is anything less than very strong, I'd say you have a problem.

Passwords I rely on (and remember) have 30-40 characters because they are a combination of memorable words, phrases, numbers, and symbols, in a mix of lower and uppercase. However, I have given up on remembering most of my passwords, and instead use a password manager. This is a tool that remembers my passwords for me. This way, I remember one really good password, and I let it 1) generate and 2) remember lots of insanely good passwords on my behalf.

using bitwarden

Let’s look at using Bitwarden, an open source password manager.

First, go to bitwarden.com.

Click “Get Started,” and create an account. (Or, you may have been sent an invite via email. If so, use that.)

For the master password, you need to pick something secure. That means:

  1. Never previously used.
  2. Long.
  3. Mix of numbers, letters, and symbols.

To start, you could go to https://diceware.dmuth.org/. This gives you an example of what a passphrase looks like. You might pick five words of your own, or use a couple of runs from this to pick a collection of words.

There you go. You have a difficult-to-hack, nearly impossible to guess, reasonably secure password. Write it down, keep it safe, and use that as your master password for Bitwarden. You will, over time, memorize this password. Why? Becuase, if you are doing things correctly, this will be the only password that you keep in your head.

just in case…

It may not need to be emphasized, but:

  1. Don’t use this password anywhere else. If you use a password in multiple places, then that means there are multiple places that, when hacked, can lose your password for you.
  2. Write it down, if you have to. However, if you’re going to do that, be consistent about it. What does that mean? Don’t write it on a ducking sticky note and lose it. Pick a small notebook, and treat that notebook like it is the holiest of holys. Never lose the goddamn thing. It’s your backup brain.
  3. Don’t lose this password. Don’t forget this password. Don’t forget what notebook you wrote it in. This is about to become the key to your entire digital life.Your passwords are your only defense against losing your phone, bank accounts, retirement… you name it, you can lose it to a good scammer.

So. ‘Nuff said.

one final note…

You can, if you want, chose not to use a password manager. It is a reasonable choice. But, if you make that choice, you really, really need to develop a good religious practice around maintaining a password notebook or similar. It can’t be half-assed or ducked up in some way.

There are three reasons to use a password manager:

  1. It can log into websites automatically for you.
  2. It can generate really random, secure passwords for you.
  3. Next of kin.

With a password manager, you can designate next of kin. This way, if something happens to you, your spouse/family is not screwed. In my case, there are digital systems all over the place (bank accounts, photo archives, etc.) that only I can access. It is very, very hard to convince these places to update/cancel an account once you are dead. Sometimes, they don’t or won’t. It is a part of our digital society that we have not yet addressed.

I have moved many things into my password manager so that my spouse can, if I get hit by a bus, actually take care of closing out credit cards, managing bank accounts, and so on.

You could just use the diceware password generator, and put all your passwords in a single notebook. This has a few problems:

  1. Fire.
  2. Theft.
  3. Forgetfulness.

If you don’t keep that notebook up to date, then everyone is screwed. If it burns, you’re screwed. If it is stolen, you’re screwed again. So, while you can just use something like diceware to generate passwords for everything, it probably is better to have one password for the password manager, and then we’ll use tools built into it to generate all your other passwords. (Which, is the subject of a later post as well…)

for next time

At this point, you have a Bitwarden account, but you’re not sure what to do with it. That will be the topic of the next post.