Security against data theft

Well, for this I only have following ideas (which I use myself):

General rules

  • Never use a Password at two different places.
  • Never use guessable passwords.
  • Never use the "remember password" option, except it is implemented at the provider side only (this way theft at your side cannot harm all your passwords). Those things like "Wand" etc. are inherently insecure.
  • Never use poorly designed helpers like Pagent, except you know what you are doing. (Programs like Pagent do not ask you if a passphrase is authenticated. This is like do not lock your door and do not care about others accessing your rooms without that you are able to even know they were there.)

Passwords

Passwords which are plain text are guessable. Even if they only consist of a bunch of letters not related each other. This is you do not know all the words which exist out there. So you cannot be sure, that your "random letters" are some known word in another language (there are weird languages out there, really).

A good plan to do is:
  • Take two words.
  • Tweak some letters of those words, like reversing one word, replacing one letter through another one, removing some letters.
  • Glue this two words together.
  • Add some CAPS if the algorithm supports that (some are designed such that lower and upper case are the same).
  • Add numbers and other special characters (which are supported) somewhere in this password.
Another plan is:
  • Use an "auto generate" feature of your Password Safe.
  • Change some characters of this generated password.
Good passwords are 8 to 12 characters long.

I have over 1000 of such type passwords.

PassPhrases

PassPhrases are "long super-Passwords" to protect several access. PassPhrases are tedious, because they must be very long. So they must only be entered rarely. Most time, they are used to initialize things one time.

A PassPhrase can be created like an ultra-long password. But they must be protected better. So you never write them down. Hopefully you only need 3 to 5 of them in your life.

Here are two variants:

  • Passphrases made up of words. A non-sense sentence like: "paint wall green open dive to einstein"
  • Create some helper to remember this passphrase: For the above example:
    Green is the color you dislike most and Perl the programming language you hate, so you note: "make-up larry odd color, home drive emc".
    Any geek will think you noted something weird about you want to store onto your EMC SAN. However this helps you remember the PassPhrase:
    This is "larry wall" from Perl, make-up is painting, and the odd color is green. So "paint wall green". Your "home" is open, "drive" is near "dive" and emc stands for einsteins formula.
So if somebody pressures you to reveal the PassPhrase, you can insist that you have forgotten it (I always forget my PassPhrases and can only reveal them with the helper text!). But even with the helper text you can say, that you are unable to get it again, as it is too difficult to remember under stress. And for my part, it often takes me 30 minutes to 2 hours(!) of absolute silence and a lot of trying and sheer will to succeed to remember what I wanted to express with the helpers.

This is the best thing: You cannot remember if you do not try hard. If you are pressured against your will, you cannot do this. This is purely psychological.

The second variant:

  • Use a completely random extremely long Password, like "823jas83kse92kse391"
  • Transliterate this password into other things which you note in a secure place (see Password Safe below). For example following lines
    night 123 x x x ajar macbeth asset
    night tree aktinium est relative
    79 42, skandinavia as relevant
    three 49ers, x
    As you can see this is rubbish. However the Passphrase is revealed if you look at the SECOND letter in each word (some do not have 2 characters, puzzled?), with some differences you will fast notice. It took long to create and it will take long to reconstruct.
You do not need to use "the second" character. You can differ the method, like second for the first, first for the second, third for the third, last for the fourth. And then restart this hopping. It's only important, that it is obvious to you if you look at it in 10 years from now. It's not important that you can explain your method to others (not being able to explain probably is even better).

Use a Password Safe

Never record your passwords literally. Use a password safe with a good Passphrase. Have this PasswordSafe on a memory card or USB stick. Only put this card into devices which are never connected anywhere (like a PDA but not a SmartPhone. Like a Laptop but not a Laptop with WiFi installed).

It is crucial that you separate device and memory card, such that even in bad situations, the PassPhrase will not be stored on the same device as the secure password file. If you store the file onto the internal memory of your PDA, you cannot be sure that the PassPhrase is not stored in some memory image which might be recorded by some broken process (it saves some uninitialized bit of memory which happens to contain traces of your unerased PassPhrase).

Never sell things which were used for security, ever. Shred things and burn them afterwards at a very high temperature (even cheap gas burners gain 1200 degrees Celsius).

Use encrypted partitions

  • Use TrueCrypt or any other encrypted filesystem.
  • Use it together with a good PassPhrase.
  • Never record this PassPhrase anywhere literally, not even in a Password Safe. Do it though a Helper as noted above.

Links

  • www.pwdhash.com/ is a method to hide your password from the site you use. Have you noted the bug in the page? The answer is hidden as comment in this page (click source).

Famous last words

When it comes to security, always remember following advice:

The only question is, are we paranoid enough.

-Tino, 2008-05-08, Update 2009-05-14 link to pwdhash.com (as somebody noted it to me)