Personal Password Policies
As you may have already heard, I've recently taken a position at OmniTI. Big changes in my life and career usually cause me to review other parts of the same. Recently, I've been considering my personal password policies, and I thought it might be interesting to both share my conclusions, as well as to hear from my 3 remaining readers (after months of an untouched blog) what you think and if you have any of your own policies that I should adopt.
Here's the short version for the short-attention-spanned among us:
(There's also some (IMO) cool Keychain command line code at the end...)
- unique password or each site/service
- passwords should be changed every 90 days
- My Vidoop for web (exported to keychain daily (once Vidoop allows this))
- delegated OpenID whenever possible
- keychain for non-web (+time machine backups regularly)
- 8+ glyphs whenever possible
- glyph = upper + lower + nums + symbols
- ssh via RSA keypair when possible
- ssh priv escalation via user password (re-auth)
- re-gen RSA keypair annually
- mail: GPG w/1-year key expiry
- publish ssh-RSA and GPG public keys
Up until a few weeks ago, I had what I'd considered a "medium" password footprint. I've done some things right, but a lot of things wrong. I wouldn't consider it a weak footprint because I don't (e.g.) use my birthdate as my PIN, but I also wouldn't consider it a strong footprint because I was prone to using the same password on different (lower security/risk) sites. The repeated password is also composed of lowercase letters only, which means that it's relatively easy to crack, if one of my "low security" password hashes were ever to be compromised.
This realization has lead me to review some of my personal policies, and has helped me identify a few things that I need to stop doing immediately, and other things that I should start doing as soon as possible.
Keychain
Once upon a time, it might have been reasonable to expect users to create and remember passwords for their accounts, but if you ask me, that era has long passed. As technology has thrived, and systems have become more pervasive, users have had to create an impossible number of accounts on dozens or hundreds (or—for power users—maybe even in the thousands) of independent services: on web sites, email accounts, personal computers, in-home routers, printers, bank accounts, phone authentication systems (think cable/phone support) and company networks.
Everyone needs a little help, and thankfully, many of the applications we use in our daily lives will remember our passwords for us. Firefox, Safari and (I believe) IE will all remember usernames and passwords, and will each try to semi-intelligently. Our mail applications (if they're not our browsers) remember our IMAP credentials, and On the Mac, we have Keychain built into the OS as one of its core components.
I intended to write a long piece on this, but I've been intending to do so for weeks to no avail, so simply put, I'd like to know your password policies, and I'll see how I can improve mine. One of the key elements in my new strategy is a script I wrote for mac keychain called "getpw":
#!/bin/bash # no parameters spit out usage, then exit if [ -z $1 ]; then echo "Usage: $0 name [account] (or:" `basename $0` "account@name)" exit 1 fi if [ -z $2 ]; then # account not provided # check for account@name: USER=`echo -n $1 | sed -e 's/@.*//'` if [ $1 != $USER ]; then # found account@name ACCT="-a $USER" NAME=`echo -n $1 | sed -e 's/.*@//'` else # not found; ignore account ACCT='' NAME=$1 fi else ACCT="-a $2" NAME=$1 fi PW=`security -q find-generic-password $ACCT -gs $NAME 2>&1 | egrep '^password: ' | sed -e 's/^password: \"//' -e 's/\"//' | tr -d '\012'` if [ -z $PW ]; then echo password $1 not found else echo -n "$PW" | pbcopy if [ -z $2 ]; then echo password $1 copied to pasteboard else echo password $2@$1 copied to pasteboard fi fi
Basically, I do something like:
sarcasm:~ sean$ getpw sean@iconoclast password sean@iconoclast copied to pasteboard
Keychain politely asks me to unlock the keychain if necessary (via a nice GUI dialog), and voila, I've got my password in my pasteboard, ready for use. No need to remember complex passwords, and no need to ever see them (bypasses keyloggers, too).
Hope that's helpful to someone; I use it dozens of times per day.