More than just one password: Lessons from an epic hack

Penelope PitstopPenelope Pitstop Junior Member
edited August 2012 in Lounge
Another excellent blog post from Jeffrey.

There was one section of the original Mat Honan article that seems to give two more lessons but I'm not sure I fully understand them:

"I had done some pretty stupid things. Things you shouldn’t do.


I should have been regularly backing up my MacBook. Because I wasn’t doing that, if all the photos from the first year and a half of my daughter’s life are ultimately lost, I will have only myself to blame. I shouldn’t have daisy-chained two such vital accounts — my Google and my iCloud account — together. I shouldn’t have used the same e-mail prefix across multiple accounts — [email protected], [email protected], and [email protected] And I should have had a recovery address that’s only used for recovery without being tied to core services."


How do you create email accounts that aren't daisy chained?

What does he mean by a "recovery address"? Which service provider would you use because normally you must provide another email address to open a new account for validation purposes. So don't they inevitably become linked?

Comments

  • edited August 2012
    I thought the most obvious lesson from this hack was to use lots of different email addresses. If Mat had different email addresses for different accounts the hack would not have been possible. Buy a domain and forward all mail from the domain to a single account. You then use random addresses like [email protected] (best not to use addresses like [email protected]).

    1password helps here too, it will remember the email addresses for you too.
  • MikeMcFarlaneMikeMcFarlane Junior Member
    As I understood Mat's situation he had not only used a few common email addresses, but had also authorised multiple locations to be logged in/accessed with a few IDs. So whilst it might seem convenient to login everywhere with your facebook/twitter/OpenID it is probably a bad idea, better to create a login for each site.

    I use a few email addresses for different things, but in general can't be bothered to setup dedicated email addresses for every site. However having read this article on ArsTechnica http://arstechnica.com/security/2012/08/passwords-under-assault/ it seems like an upcoming task to at least ensure I have separate emails for key accounts, as well as for recovery etc. Tom's idea of buying a domain is a good one.

    But yes, in some ways accounts will always be linked, unless you don't enter a recovery email. I'm still undecided on recovery emails. Why would I forget my login credentials when I have 1password?

    Jeffrey certainly raised some good points in his article. I try to get round the issued raised by:
    1. Offsite back up obviously. I keep a few hard drives at my wifes work that she brings home on a regular basis.
    2. She has a copy of my key passwords in her 1password, and vice versa.
    3. I keep an encrypted dmg file on my server (and hence offsite backups) that contains key data inc copies of key documents. You could use Knox to create encrypted DMGs easily. I'm not very good at remembering the password for the DMG though as I rarely access it!
    4. I turned off FindMyMac on my Mac. I'm less likely to lose it than my mobile devices and at least I would always have one functioning device, that is backed up with both Time Machine and an offsite clone that is regularly updated.

    It is another thought provoking article Jeffrey, many thanks.
  • benfdcbenfdc Perspective Giving Member
    edited August 2012
    Let me join in the chorus thanking Jeff for another fine post. I especially appreciated his discussion of his own password practices. I too have been preaching the diceware gospel for master passwords to others but am only gradually putting that advice to use personally.

    Jeff mentions that he has memorized the passwords for his Dropbox account and his primary email account. I know neither of the two, but I have a LastPass account with those logins as well as a few others that I frequently wish to access when away from home. If I need a login or other info that isn't in my LastPass vault, LastPass will take me to my Dropbox and 1PasswordAnywhere. (I also periodically back up my 1Password keychain to my Palm Trēo phone using an old copy of 1Password 3.5, but that phone will be retired soon.) Also, while my wife and I don't share passwords for our personal accounts, we do keep our 1Password master passwords in sealed envelopes in our joint safe deposit box.
  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member
    Thank you all for your kind words!

    PP,

    When you sign up for a service, say Amazon, you give them an email address. That is the address that a password reset link will be sent to if you go through the password reset mechanism. What Mat is suggesting is that he have a separate email account just for those sorts of things and that nothing else is ever done with that email account. But if you use your @me.com email address for those signups, then it means that someone who gets your Apple ID password can not only do things directly with your Apple ID, but they can go and have other services reset passwords.

    Ben,

    I assume that you use a different master password for your different password managers. So while your scheme is a bit less direct (and quite a bit more complicated) you are remembering more than one password.

    We, too, have our 1Password Master passwords in a safe deposit box. There are too many things that my wife (or executor) would need.

    Cheers,

    -j
  • Penelope PitstopPenelope Pitstop Junior Member
    Thank you all for your helpful replies.

    I think I get it now. What a pain to have to maintain lots of different email addresses!
  • Penelope PitstopPenelope Pitstop Junior Member
    One of my mail service providers offers disposable email addresses. Do you think that is a suitable alternative approach instead of creating your own domain?
  • khadkhad Social Choreographer

    Team Member
    I could not be thinking too clearly about this, but I would presume that it would only be helpful if the addresses were actually separate accounts with separate passwords. If they are just forwarding addresses or aliases to your main account I'm not sure how much benefit it would bring.
  • MikeMcFarlaneMikeMcFarlane Junior Member
    I think they should be totally separate addresses too. It's a bit of a pain to setup the accounts and add in to your mail program (and devices if you want all your mail on them), but hopefully it won't need changing too often. I found this comment useful:

    [font=Verdana, Helvetica, sans-serif]in addition, I am constantly urging my friends and family to have and use at least 3 distinct and dissimilar email accounts:[/font]
    [font=Verdana, Helvetica, sans-serif]tier 1: trusted financial matters,[/font]
    [font=Verdana, Helvetica, sans-serif]tier 2: family, trusted friends, and less trusted financial dealings (most online non-bank merchants), and[/font]
    [font=Verdana, Helvetica, sans-serif]tier 3: social networks, risky online merchants, and new or unknown people.[/font]

    From the comments section at http://www.schneier.com/blog/archives/2010/11/changing_passwo.html Plus the recovery email that PP initially asked about.

    The alternative is to try to use a different logon username for each account rather than your email address as the username. But so many accounts want an email as the username so not that easy. I suppose in a way a disposable email address is similar in that each site you visit then has a unique username and password in the event of your logon details being stolen from elsewhere, but if your email account is compromised it is still game over.

    It's good to see above that a few other people have thought about their partners/spouses needing access to their info in the event of serious injury/death.
  • benfdcbenfdc Perspective Giving Member
    jpgoldberg wrote:

    Ben,

    I assume that you use a different master password for your different password managers.

    -j


    That's actually something I've been thinking about. I'm not sure why using the same master password for all of my password managers would constitute bad practice, any more than using the same user account login password on my desktop and my laptop would constitute bad practice. I don't have a security hierarchy in place, with one password manager protecting the crown jewels and another the contents of my sock drawer. My LastPass vault has a small subset of the contents of my 1Password keychain, but it's a valuable subset, so my goose would be equally well cooked if either of the two were cracked.

    1Password already forces me to reuse my master password—the same password that opens my keychain on my Mac will open 1PasswordAnywhere in my Dropbox, and it will also open the keychain on my Windows machine. If I install the browser extensions, then I'm forced to use the same password there as well. I see no clear harm in using the same master password for other password managers to which I entrust my secrets.

    Looking at this from a different angle, password reuse is bad because it means that a breach in one place makes you vulnerable elsewhere. Well, if you're using a password manager properly, a breach in one place is sandboxed unless that one place is your password manager, in which case it's game over. So that's what you have to protect, so you need the strongest master password that you can remember and use. Keeping different master passwords for different password managers seems to me to be pain without gain.

    —Ben F
  • khadkhad Social Choreographer

    Team Member
    edited August 2012
    I'm not sure why using the same master password for all of my password managers would constitute bad practice, any more than using the same user account login password on my desktop and my laptop would constitute bad practice.

    Your 1Password Master Password grants access to a single data file which is accessible in various ways. It decrypts the same data, so it is not "reuse" in any sense of the word. Accessing a the data from various locations (Dropbox, Mac, Windows) doesn't change the fact that the decryption password is for that specific data no matter where it is made available to you.

    Reusing a password between your desktop and laptop is a bad practice (presuming you are using whole disk encryption so the password isn't just for show). The idea is to not reuse a password that protects different data. I suppose if you were keeping the data on the two machines 100% in sync then using the same password would not decrease the security in any way, but I don't know anyone who does that. It sounds like a pain to me. :)

    …password reuse is bad because it means that a breach in one place makes you vulnerable elsewhere.

    Precisely.

    [font=helvetica, arial, sans-serif]Keeping different master passwords for different password managers seems to me to be pain without gain.[/font]

    Only if the data is identical. The "gain" is protecting whatever you have in one that is not available in the other. If you only store a a small amount of data in one and that's the one that is exploited, then the data in the other is still protected if you use strong, memorable, and unique passwords. If you reused the password, then it is indeed "game over."

    It is no different than reusing password anywhere else.
  • benfdcbenfdc Perspective Giving Member
    Khad—

    You are ignoring the cost of having to maintain, remember, and differentiate among a collection of strong pass phrases. If the data being protected is heavily overlapping and of equivalent importance, I think that the marginal risk of reusing a master "password locker" password among one's personal lockers is outweighed by the benefits of simplification.

    My thinking is partly influenced by the fact that both 1Password and LastPass are engineered to protect my password well (e.g., both make use of PBKDF2).

    I have come to the conclusion, though, that my Mac login password is too weak, partly because it also unlocks my Apple login.keychain and partly because it's the same as one of my Windows login passwords, and Windows is notorious for not protecting those passwords very well. I can and should change my Mac login password, but I'm also considering changing the password to my login.keychain to match my 1Password master password. After all, my email account passwords, which are of critical importance to identity theft, are in both places!

    Even now, though, my passwords are stronger than some!
This discussion has been closed.