Wednesday, June 13, 2012

Password Security - Tying it all together

Previous I listed the different categories of passwords I have.  Prior to that I talked out how programs like KeePass and LastPass are great for storing passwords, and the password manager built into your web browser is convenient but has flawed security.  Now it's time to tie it all together and talk about the new password scheme I have implemented to protect me and my privacy on the Internet.

First, I decided each and every site will get a unique password - no more shared passwords.  I don't want a compromised password at one site compromising any other sites.  Second, each password (with a few notable exceptions) will be a long complex password that is difficult to remember.  When I say long complex passwords, I mean something like "f2FQumZoxwP64qMgy2v1."  All of these long complex passwords will be stored in KeePass, so I don't have to try and remember them.  And even though the password manager built into the web browser has proven weaknesses, I will use it because of it's convenience factor for some of the passwords.  I want to keep as few of passwords in the web browser password manager as possible, that way if it is compromised I have limited exposure.  So I will only put a password into the web browser's password manager if A) I've deemed that site to be a low security risk and B) it's a site I access frequently.  In all other instances I will manually copy the password from KeePass into the browser.

So here's how this scheme affects the categories I previously discussed:

Banking
Banking and financial sites are considered high security.  So they will get the longest most complex passwords, none of which will ever get stored in the browser's password manager.  When I do need to log in I will copy the password from KeePass.

Online Stores
Just like above, long complex passwords that I will not store in the web browser.  I will copy them from KeePass anytime I want to order something.

Utilities
Utilities will be treated the same, long complex passwords that I will not store in the web browser.  Since I only login monthly, I will copy them from KeePass anytime I pay a bill.

email
Email is the fly in the ointment if you will.  I want a really long complex password because I consider the info in my email to be sensitive, but I want to be able to check my email from any computer which means I need to be able to remember my password.  So I've gone with the longest most complex password that I was able to remember.  Most of the time I check my email using Thunderbird which handles passwords for me.  So I only need to remember the password for checking email from a strange computer.

Social media
These sites will get medium-length complex passwords.  I don't use social media that often, so when I do I will manually copy my passwords from KeePass.

Work
Work sites I only access from work (surprise surprise).  And the data stored there isn't very sensitive.  I will still use medium-length complex passwords, but I will allow the web browser's password manager to remember them.

Forums and everything else
Any finally the bulk of my accounts.  I will use medium-length complex passwords for all of them.  If I access the site frequently I'll allow the web browser's password manager to remember them, else I'll copy them manually from KeePass.


So that's my new password scheme.  All complex and unique passwords, with the exception of email passwords which I need to be able to remember.  And most of these passwords are stored only in KeePass, the browser is only allowed to remember passwords for low-risk but frequently used sites.  Yes, this new scheme is less convenient.  But it protects me better in the event a password is compromised in the future.

No comments:

Post a Comment