This is a Flickr badge showing public photos from errorik. Make your own badge here.
25 years to life...
Recent Notable URLsXML
Panasonic SD5 - HiDef SDHC Camcorder
A self-purchase for my family and I. Upgrading from an old Sony Mini DV camcorder.Comment Icon
Interpol's got PhotoShop Skillz
Interpol has been able to reverse image effects unmasking a pedophile.Comment Icon
Amazon Launches DRM-Free MP3 Store
Cheaper than iTunes. Better quality than iTunes. DRM Free.Comment Icon
Raytheon brings the Pain Gun
"This machine has the ability to inflict limitless, unbearable pain."Comment Icon
How to Solve a Maze with Adobe Photoshop
This is the best hack of PhotoShop I have ever seen.Comment Icon
Urban Dictionary: Prewalking
Walking down the subway platform so that when you board the train, you'll be close to the exit or transfer point when the train reaches its destination.Comment Icon
How to Schedule MySQL Backups in Windows
Gotta love it when something you thought might be challenging is explained to be so easy.Comment Icon
Nintendo to release official MP3 Player for the Nintendo DS
The best handheld gaming system gets a media add-on. Nice.Comment Icon
Laptop sleeves like monster muppets
I don't care how much I like monsters and cartoons and such, I'd feel like the world's biggest weirdo if I actually carried this in public.Comment Icon
"Pee-wee's Playhouse" joining Cartoon Network's Adult Swim
Saturday mornings were so awesome as a kid.Comment Icon
[ more ]
Search the Notable URLs Archive:
Recent User Comments
Blog Archive
Search the Blog Archive:
Friends and others
Michael; Nate & Val; BJay; Jessica; Joel; Steven Ng; AJ; Kirker; Derek;
Get Firefox

Creative Commons License
All content on this site (including text, photographs, artwork, and any other original works), unless otherwise noted, is licensed under a Creative Commons License.

Valid XHTML 1.0!

Creating A Personal Password Policy (P3)

Passwords are a big deal to me. The right break-in to the right account and a person could hi-jack my e-mail, order stuff from my Amazon account, take control of my domain names, and who knows what other unthinkable acts.
I used to think that a good password was a single alpha-numeric password that I could use everywhere. And that's what I did.
Later I wised up to the fact that all it would take is one leak, and now every account I have is compromised.
So then I devised my 1st "Personal Password Policy" (and I didn't even know that term yet). And what is a PPP? Simply put, it's basically putting thought into the passwords you create and use. Not just picking passwords at random, but actually laying out a plan that will keep your data secure.
My original PPP was three passwords divided into tiers of how secure I wanted that account to be. The good part of this idea was that my really important accounts were separated from run of the mill accounts that I was creating on almost a weekly basis from ordering on-line, or participating in on-line forums, etc. The bad was that all of my highly important accounts were using the same password still, meaning that 1 leak and my most valuable accounts could all get infiltrated.
I worked at a company that had a guy steal customer data. It happens. He was stupid and stole credit card information (he also got jail time). He could of just of easily stolen e-mail addresses and passwords and with most certainty could of gain access to at least 80% of the accounts - gaining himself access to much more than a single credit card number.
So I changed my PPP to an unrestricted number of mostly unique passwords. Meaning, I had about 15-20 unique passwords. With highly secure accounts each having their own password, and run-of-the-mill accounts still using a generic shared password (semi funny note: this weak shared password used to be my highly secure single password).
Of course this list of passwords grew to be totally unmanageable by memory, so I created an Excel spreadsheet that I used to manage my passwords, and the matching username, and it had some other info in there too. I named it totally inconspicuous, and then used Window XP's built-in encryption feature to encrypt the file to my user account.
I kept this PPP in effect for several years. And it worked for me, for the most part. Occasionally were times when I found myself away from home and not able to recall my password for an account. And not able to access my Excel file. And very much out of luck. And so I discovered that PPP was not enough. I needed to have a PPPP (Portable Personal Password Policy).
But at the time I had no idea on how to make a portable PPP. I didn't want to just keep a print-out of my Excel sheet in my wallet.
It wasn't until this year when I was researching an Internet Safety presentation that I was giving and I was searching on ideas for what is a good password. I found some great items such as:
This bookmarklet idea was (and still is) awesome. To use it, all you need is a single "master password" that you need to remember. This password is never shared with anyone. It is never transmitted over the internet. It is as secure as you want it to be. The bookmarklet sits in your browser, and when you click on it, it asks for your master password, then it takes the domain name of the web page you are on, and creates a unique hash out of the domain name using your master password as the key. I keep it in my Mozilla Firefox Bookmark Toolbar (this also works for Internet Explorer and Opera).
This is a great tool, and in my mind, a perfect PPP. But what about portability? You can't always have your bookmarklet handy because you aren't always home on your own machine, or on your notebook. You could be at a friend's house. In these cases you can use the web page version of the exact same formula. I have an easy way for myself to locate the generator from any internet enabled location I find myself in.
The web page version also allows you to enter in non-domain name values that you can create hashes for. So if you wanted to create a unique password for your locked Microsoft Money file, you could create a hash of the string "MS Money" using your master password.
To further make this portable... you can put the HTML for the web page version on a USB thumb drive and take this anywhere with you. You no longer need internet access. I personally created my own back-up of the web page and bookmarklet version of this method just in case the web site goes off-line.
There is however one fatal flaw in this person's code. It uses the entire host name, not just the domain name. For example: www.digg.com is different than digg.com and login.paypal.com is different than www.paypal.com. This causes trouble on a handful of sites that pass your around between sub-domains and don't always have the login on the same on the same sub-domain.
Chris Zarate ran into this same problem, so he created a new bookmarklet that only uses the domain name. I plan on switching my passwords over to this new formula as time permits.
In August Leo Laporte and Steve Gibson launched a podcast called Security Now!. It's an excellent podcast revolving entirely around security. And I was very well pleased when they did a two-part special entirely devoted to passwords, and encouraging people to actually think about their passwords, and to each create their own Personal Password Policies (and to think about portability). I highly suggest everyone to listen to these two episodes and hear all they have to say about passwords. They basically cover everything (useful) I have learned about passwords in all my life in less than 45 minutes.
Here are links to get the goods:

Episode #4 (Part 1 of Passwords)
MP3 Audio PDF Transcript
Note: They don't dive into passwords until 8:35 in the audio or the bottom of page 3 in the transcript.

Episode #5 (Part 2 of Passwords)
MP3 Audio PDF Transcript

I hope you have found this entry useful and if you don't already take your passwords seriously that you will start soon. If I have left anything unclear, please send me an e-mail or post a comment, I will follow up.

User Comments

Currently there are no comments.

You can be the first!

Add your own comment

Comment system temporarilty off-line.