Friends! Welcome back. I hope you didn’t miss us too much as we took our extra-long three week hiatus. So much has happened in those three weeks. We celebrated Canada day, WatSFiC’s incredibly fun and popular Humans vs Zombies week-long campus-wide ultra-fun event happened, and the EngSoc Joint Annual General Meeting took place. So much has been going on, and we have so much to catch up on.
For instance, Alex has written a piece on the ongoing important ramifications of the horrific Charleston Shooting (page 4) and Sam has an article on the ever-evolving situation in Calais (page 6). Also look out for Michal and Sherwin’s PCP, where they discuss different economic incentives that could reduce carbon emissions (page 13). As always, a massive hand to all the journalists, copy editors, and layout editors who made this issue possible. A special thanks to Ethan for braving the heat to get us our beautiful front-page photo, and to Sherwin and Nachi for their extensive help with layout this weekend.
Well this is a mercy. After fretting for two weeks on what to write my editorial about, something dropped right into my lap–late one night last week, I got an innocent looking email: “Action Required: Check your Mailbox”. It was a message for the National Student Loan Services Center (NSLSC), asking me to create an account on their system where they could send me information about loan repayments and things. No problem, right? Name, SIN card, Student Loan Number, email address, communist-party association status (not really on that last one). Then I got to the “password” section of the account creation page.
I’ll talk about my experience with the NSLSC first, but then I have some comments about password security in general. I think that knowing how to create good passwords is an important skill, and one that can save you from tonnes of headaches. More importantly, there are ways for websites and internet companies to encourage good password etiquette, and many of them are doing exactly the opposite.
So the NSLSC. A government service that looks after all kinds of sensitive financial and personal information. A service that provides for frequently tech-savvy young adults all over the country. How bad could their password system be? Very.
I won’t bore you with the details. They had the standard questionably-useful rules that all passwords have: 8-16 characters, must contain at least one upper case letter, one lower case letter and one number, and no repeated letters. But it also cannot contain any special characters. I couldn’t believe it. It meant that my method of creating passwords—an algorithm by which I derive a unique password based on the name of the service—was invalid. On the one hand, I wonder if they put in this in there to make everyone make up a new password, instead of re-using a canned one. On the other hand, I’d say it is an ineffective strategy, since it made me perform the time-honoured tradition that we do when we have passwords we will never remember–I put it on a Post-It Note on my wall.
Anyway, now that I’ve explained the inspiration of this editorial, it’s time to move on to the real body of the matter: why are some passwords better than others, and how can I make the best ones.
What is a Password?
It seems like a really simple place to start, but if we want to know how to make a good password, we have to start with what we want to use it for. A password is a secret key we can use to verify our identities. It’s something that only you and the person you are dealing with know. Perhaps most importantly, a password is only a metaphorical key, a piece of information; it can be stolen without giving you any ability to know this has happened.
How do Passwords Get Stolen?
The answer is that there are a lot of ways, and a good password can substantially reduce the effectiveness of many of these methods. Let’s start with the one that we absolutely can’t prevent with any password: data breaches involving password lists. This happens when somebody infiltrates a company’s servers and gains access to the list of login credentials, potentially stored as plain-text or encrypted plain-text. There is nothing that you can do to stop this from happening, unfortunately. Without going into too much depth, the company could have done some clever math to make it so that they could verify that you input the correct password without being able to easily figure out your password at all. But they didn’t, and now the hacker knows what password you used on this site.
So the hacker knows the password and email you used for that one site? No big deal right, the company just tells everyone to change their passwords. Wrong, because the next way your password gets stolen is through password reuse. Now that the hacker has the emails and passwords of thousands of people, he can try to put each set of credentials into hundreds of sites, and some of them are sure to work because people reused their passwords. In other words, especially if it’s for an important service, never reuse your password. And god help you if they gain access to your email, because then they can reset all of your other accounts.
Well if I want to use a different password for every single service I use, I pretty much have to write them all down. This is not a good idea. Why? Because I would argue that the biggest threat anyone faces is from people in the real world who are close to you. If someone hacks your Facebook account, what can they do? Put up homophobic propaganda and unfriend all of your friends. It sucks, but once you realize what happened you’ll be able to change your password and try to fix it. People will understand. Worst case scenario, you nuke the account and start anew. Financial transactions and identity threats are more annoying and costly to fix, but still very fixable. But when you write down your passwords on a piece of paper, you are making them vulnerable to the people in close geographic proximity to you. Hopefully all those people mean you well, but if one doesn’t how will you explain the horrible and highly-specific things you emailed your crush last night, or why you approved those CAD drawings for the now-collapsed roof? I’ll take my chances with the anonymous hacker, thank you very much.
How Can You Make a Good Password
So I hope that I have managed to instil in you the keys to a good password: memorable so you don’t need to write it down, and unique. Although I didn’t mention it, long is also useful, just in case you are on a service that doesn’t detect and prevent a brute force attack that simply iterates through different passwords on a specific account. But how can we actually make a good password? I have two solutions: a password manager, and a password algorithm. A password manager is a piece of software that stores all of your passwords securely behind one very strong master password which you are obviously encouraged to never write down or tell anyone else. You can even get online passwords wallets, so that your password manager is with you wherever you are. They’re probably effective, and probably secure; you really don’t have a way to verify either of those things. The other way is a password algorithm. I start with some unique identifying thing about the site. For instance, Facebook’s colour scheme is pretty consistent and I don’t foresee them changing it, so I start with the phrase “blueandwhite”. I use the same colour-based seed for every site. Then I come up with an algorithm to turn that phrase into a unique password containing lower-case and capitals, numbers, and alt-characters (just to ensure that it will be accepted by most sites as a valid password). If I really need to, I can write down the seed and its corresponding site name while still keep my algorithm, and thus my password, perfectly safe.
How Can Companies Make a Better Password
Certainly, they have been trying. Most websites, as I have already discussed in depth, have certain rules and conditions on your password. I would argue that they don’t work very well though, since they strongly incentivise either password reuse or writing down the password, especially if they have original rules no-one else uses. I like Google’s approach, which is to only put a lower character-limit on passwords, and then simply tell you how secure they think it is. This gives you the freedom to use the type of password solution you want, and encourages people to adopt better password practices.
But by far the best thing a company can do to keep your account secure is offer two-step verification. The way this works is that whenever a login request is received from a new location or a new device, the website sends a text to your phone with a code, and you have to enter the code into the website. The brilliance of this is that it removes one of the assumptions we made up at the top: your password is no longer simply a piece of copy-able information, but is now a piece of secret information plus a physical object in the form of your phone. Someone with just your phone can’t gain access to your account, because they still need the secret half of the key. And someone with the secret half of the key can’t get access because they need to steal a piece of physical property.
I’m sure that before long someone will find a way around two-step verification. Maybe they’ll intercept the text, or the code that the website sent you was pseudo-random and predictable. But I will say that it’s much better than what it replaces – security questions. As many will remember from the 2014 iCloud Celebrity Photo Leaks (or, more idiotically, the fappening), many of the accounts were breached by determining the email address associated with the iCloud account, and then getting a password reset using publicly-available information (like the contents of a Wikipedia page) to answer the security questions. And since many people are freely distributing all of that information on Facebook and Instagram or whatever else the kids are using these days, security questions have become, in some cases, a serious liability.
Anyway, hopefully this at least makes you think a bit about your passwords a little bit more. The internet can be both a dangerous and wonderful place, and I want to make sure you stay safe as you cruise along the information superhighway.
Leave a Reply