Personal Password Management

Question: If someone were to obtain your credentials for a “non-critical” web site, could they be used to gain access to accounts on critical sites such as email, online banking, etc? Many people would likely have to answer yes to that question, even security minded IT professionals.

Identity management can easily be a complicated subject. The average Internet user maintains dozens of accounts across an array of sites with varying levels of importance and security. Credentials for those accounts can be obtained a number of ways. Many sites still don’t use SSL login encryption, leaving passwords vulnerable to sniffing. Others store passwords in the clear, leaving them vulnerable to breach (like the recent one). The most secure solution might be to maintain a separate password for every site, but that isn’t very user freindly. Maintaining security has always been a trade-off between security and usability. Greater minds than mine are working on this problem, trying to come up with solutions like the OpenID initiative. Until a better solution is universally adopted, here I’m presenting the technique I use for personal password management.

This password management strategy attempts to meet three goals. 1) Find a decent compromise between usability and security. 2) Categorize sites into three tiers, aligning services by security and importance, and assigning unique passwords to each tier. 3) Discovering credentials in one tier should not lead to discovering those in another.

Tier 1 sites are the most critical; email and online banking. Besides containing personal information, email is considered critical because it is usually tied to accounts on other sites. Based on that fact, I recommend making the online banking password slightly different than email. This kind of a one-off, and maybe should be considered a 4th tier? SSL is required for Tier 1 sites. Tier 2 sites are those that are of medium importance, other financial (credit accounts, Amazon, etc) and personal identity sites (social networking, etc). SSL is still a requirement for Tier 2. Tier 3 is for all other trivial accounts like forums, newsletters, or any site that doesn’t implement SSL login encryption. Each of the tiers gets assigned a unique password that meets best practices. This requires remembering three (or four) different passwords, but they can be a variation on the same base to make this easier.

Other factors need to be taken into account for a total password management solution. Attention needs to be given to site SSL status. Passwords should be complex, not contain words in the dictionary, and ideally changed on an annual basis. Also password reset procedures for accounts should be evaluated to prevent unauthorized access like the kind Sarah Palin fell victim to last year. Passwords typically shouldn’t be written down, but as a memory aide, a site-to-tier mapping could be saved in an encrypted spreadsheet, using something such as TrueCrypt.

Ultimately there is no such thing as 100% secure identity management and access control. Even with (theoretical) rock solid security in Layers 1 through 7, Layer 8 weaknesses will always be exploitable. In my view this solution accomplishes a reasonable balance between security and still being something that is manageable. It does have weaknesses, for example a breach similar to the one, which would have been a Tier 2 site, would require resetting passwords for all other Tier 2 sites. However, email would have remained secure, so ultimate control over Tier 2 password resets should have remained intact. There are numerous other variations on the personal password management theme. Let me know in the comments section what methods you suggest or what weaknesses you see with this solution.


3 Responses

  1. It’s still a challenge to accurately assign the tiers. I’m thinking of sites such as :-
    web-mail – probably little of consequence, but can be used by others in password reset notification;
    travel sites – nothing confidential when searching for holidays, but if you start booking you might supply a credit card – or perhaps that was supplied to a third party site;
    subscription verification sites – often ask for information such as birthplace, first school, all of which might be used for password reset.
    Guess we need Personal-DLP systems to see what has been supplied.

  2. […] wrote an interesting post today on Personal Password ManagementHere’s a quick excerptAlso password reset procedures for accounts should be evaluated to prevent unauthorized access like the kind Sarah Palin fell victim to last year…. […]

  3. I am planning to speak about this topic to teachers and students at my school. I had bookmarked this post for future reference when I first saw it. I have included much of what you say in my presentation, plus a couple other suggestions.

    1. have an email address used for creating accounts in places you are not sure you will continue to visit. If you decide the service is a keeper, update your account settings and change the email to your usual one. This has helped me reduce spam.

    2. When you change your passwords, yearly as you suggest, pick a theme. Over the past couple of years I have used Harry Potter character names, Beatles song title acronyms, and names of Beethoven piano sonatas.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: