Kissell - Take Control of Your Passwords

Welcome to Take Control of Your Passwords, Second Edition, version 2.0, published in March 2016 by TidBITS Publishing Inc. This book was written by Joe Kissell and edited by Kelly Turner.

Passwords are an irritating fact of modern life. Its tricky to create and remember good ones, but dangerous to use simple ones (or reuse a password in multiple places). This book helps you overcome these problems with a sensible, stress-free strategy for password security.

If you want to share this ebook with a friend, we ask that you do so as you would with a physical book: lend it for a quick look, but ask your friend to buy a copy for careful reading or reference. Also, you can .

Copyright 2016, alt concepts inc. All rights reserved.

You can access extras related to this ebook on the Web (use the link in , near the end; its available only to purchasers). On the ebooks Take Control Extras page, you can:

• Download any available new version of the ebook for free, or buy any subsequent edition at a discount.
• Download various formats, including PDF, EPUB, and Mobipocket. (Learn about reading on mobile devices on our Device Advice page.)
• Read the ebooks blog. You may find new tips or information, as well as a link to an author interview.

If you bought this ebook from the Take Control Web site, it has been added to your account, where you can download it in other formats and access any future updates. However, if you bought this ebook elsewhere, you can add it to your account manually; see .

Be aware of the following:

• Credentials: I frequently use the term credentials as a compact way of saying the combination of your username and password. In some cases, additional pieces of information, such as your ZIP code or the answers to security questions, may be considered part of your credentialsits whatever a site or service needs to reliably identify you as the authorized user of a given account.
• Authentication: The act of proving your identity to a computer systemtypically by entering your credentials and having them confirmed as matching the previously stored recordis called authentication. I use that term a number of times in this book, so I want to make sure youre familiar with it.

Version 2.0 of this book is a major new edition, with updated information and advice that reflects the state of technology in early 2016 and adds extensive details about a variety of increasingly popular products and services. Some of the interesting changes are:

• In that some people hope will eventually supplant todays way of using passwords as a primary means of authentication
• Updated and significantly improved the accuracy of , which explains the factors determining how likely (or unlikely) a password is to be guessed
• Greatly expanded the topic
• Added a sidebar explaining why simple passwords are always a bad idea, even for accounts that dont apparently protect any sensitive data; see
• Significantly expanded the chapter :
  • In
  • Updated and expanded the discussions of , both of which have changed markedly since the previous edition of this book
  • Added descriptions of ) explaining why I dont cover KeePassX or oneSafe
• In , added information about Apples new two-factor authentication system and using two-step verification with Dropbox, Facebook, Microsoft, and Twitter accounts
• Added to help interested readers determine the entropy of passwords they create and understand why such calculations frequently vary

Think of a card, any card. Now, keep that card in mind and think of another. Repeat until youve picked twelve cardsbut make sure your selection includes all four suits, at least one ace and one face card, and no two instances of the same card. Remember the whole set, because Im going to ask you again tomorrow

Im joking, of course. But have you ever noticed that when magicians pull someone out of an audience to help with a trick, they never make such complicated requests? Its not reasonable to ask someone to create a meaningless string of numbers and letters, remember it indefinitely, and produce it on demand.

But Web sites, banks, and network administrators make exactly that request of us almost daily. Want to buy something online? Sure, but you need more than a credit cardyou usually need a password too. Sync this data with the cloud, sign up for that free service, manage your utilities or PTA schedule onlineno problem, but you must have a password for that. Make sure its between 10 and 14 characters, contains upper- and lowercase letters, at least one digit, at least one punctuation character, and doesnt have any repeated strings. Oh yeah, and dont even think about using a word that might be found in a dictionary or reusing a password you used anywhere else.

Are you kidding me? This is madness. Coming up with unique, random passwords all the time, remembering them, and producing them reliably is not the sort of task the human brain is cut out for.

Faced with this difficult and increasingly absurd task, people naturally tend to look for shortcuts their brains can handle. They pick easy passwords, like their kids names or patterns of keys on the keyboard. Even if they go to the effort of creating something more complex, they use the same password everywhere, because then they have only one thing to remember instead of hundreds.

Speaking as a fellow human being, I dont blame anyone for taking the easy way out. You might try to come up with clever, random-looking passwords the first few times, but once your list of password-protected accounts grows into the dozens, and then the hundreds, its not plausible to keep following the rules.

However, speaking as a technologist who has spent lots of time researching and thinking about security, Im terrified for people who do this. I know how easy it is to guess, crack, or otherwise uncover someones passwords, because Ive done it myself. And people with far greater skills and resources than mine spend all day, every day doing the same thingnot for legitimate security research but to steal money and secrets, to cause mischief, or to show off.

Every couple of months I read about another high-profile case in which millions of passwords are leaked, hacked, or stolen. And then I look at that list of now-public passwords and shake my head when I see that thousands of folks thought password was a pretty good password! I understand why they did itthey were only trying to manage an unmanageable problembut I feel sorry for them, as their problems didnt end with the site that was hacked. Because these people invariably use the same password on lots of sites, many of them had money and identities stolen, private email messages read, or hate mail sent in their name. Its a big, scary deal.

Back in 2006, I wrote Take Control of Passwords in Mac OS X. In that book, I attempted to explain all the ways passwords are used on a Mac and give advice about managing them. I offered the best guidance I could at the time, based on the available facts. But when I look back at that book now, I get an uneasy feeling because anyone who took my advice then might now be living with a false sense of security. The tools for guessing passwords and breaking encryption have taken massive leaps forward in recent years, with no signs of slowing down. What was safe then may be ridiculously insecure today.