anglepoised

Security, passwords and whatnot


I’ve been slightly concerned about my rather lax security habits for a year or so. My state escalated from ‘slightly concerned’ to ‘mildly freaked out’ after the reading about the recent LinkedIn and Last.fm breaches. Now feels like a good time to sort this.

My worst security habit is the common one of using the same password for multiple services (and generally pretty simple passwords at that). This is, of course, a terrible idea.

I realised I should make some changes to avoid sleepless nights and am putting my notes here in case they’re of use to anyone else (although please remember that I’m about as far from being a security expert as it’s possible to be).

If you spot any glaring (or, indeed, subtle) holes in anything I’ve written here, please shout.

The tl:dr;

Two-factor authentication

I set up two-factor (sometimes two-step) authentication on my Google Apps account a few months ago. It’s not a universal panacea for your password woes and using it in practice is a mild pain in the arse but it’s worth the hassle.

If you have a Google (either standard or Apps) account, consider enabling it. Here’s an advocacy piece and guide from Jeff Atwood.

The phone and SMS verification methods feel dodgy (borne out somewhat by this sorry tale). I’m using the iOS version of the authenticator app instead and have created some back-up codes for emergencies.

I’ve also configured LastPass to work with Google’s two-step system. This feels a bit like having all my security eggs in one basket (like all sane people I worry about my Google account getting suspended) so at some point I may change to one of the other authentication methods LastPass allows.

I’ll enable authentication on any other services that start supporting it.

Passwords

There are plenty of options for password management, including 1Password, KeePass and LastPass.

I went with LastPass because it has handy iOS apps, supports two-factor authentication and has a nice in-browser workflow. The Pro version is $12 a year and is required to use the mobile apps.

I’m using a two-pronged strategy for passwords:

I created a free account with LastPass a few months ago, installed the browser extension in Chrome and Firefox and have used it to record passwords I actually own and use and create passwords for any new accounts. I hadn’t bothered changing any old passwords until now.

I then took the following steps:

Local machine security

The main admin user password on my Mac has been changed to a correcthorsebatterystaple style one. This is probably the most irritating thing in the world. The action of logging in is so hardwired that it’ll take weeks to adjust. Has to be done, though.

A few other notes on local security:

Client password security

Clients (in the pay-the-bills sense) can sometimes be a little disorganised and the tempation is to create passwords that are easier for them to remember. However, I’ve decided that overall security is more important than their convenience, so I’m setting up any web-based accounts I create for clients with my standard randomly generated 20-digit password and sending it to them via the LastPass sharing system when possible.

Of course, I could just ask them to set up their own accounts. That’d probably be easier.

There are some situations where this doesn’t work or isn’t as clean. If I need a password for a staging server or something similar, I’m doing that automatically in a script on my local machine using pwgen. There are alternative programs (openssl is a strong one, being avilable on most systems) but pwgen has some useful flags and is easily installed via Homebrew. Presuming you’re using OS X and have Homebrew installed already, you can get pwgen up and running with:

$ brew install pwgen

A random 20-character password can then be generated with:

$ pwgen -Bs 20 1

SSH

Using usernames and passwords for SSH is another one of my lazy habits. Using SSH keys and passphrases is generally considered a more secure option. Try GitHub’s Working with SSH-Key passphrases.

If you’re a Webfaction customer, try their Using SSH-Keys Guide.

My thanks to James for giving this post a quick once-over. Any remaining errors are of course entirely down to me.