nowucca.com - personal software technology blog
From time to time, your email account might get hacked. Friends start reporting strange Viagra emails coming from you. Why is this happening to you? Well, unless (like Sony or Spotify) the site was hacked, you were hacked because you chose a bad password. It's your own fault.
Big deal - if you are lucky you can change the password and everything is fine? Wrong.
The Problems When Your Email Account Is Hacked
We are now much more knowledgable and informed about some scenarios that can occur and what the value of your account information is online. The walls could certainly be closing in on your identity and digital well-being.
"I'm hacked and I can't get out."
When your account gets hacked, be aware of 2 things:
- any information/attachments that contains birth-dates, sensitive documents have been slurped. 100% for sure. Do an audit. Cancel credit card numbers that were in your emails, etc.
- immediately remember and change all the accounts that use the same password - because you probably use the same password for lots of Internet sites, right?
The essence of this password problem is an old problem - we have made it too easy for humans to forget their password, and too easy for attackers to discover our passwords. So we pick simple mnemonics or phrases, that can be guessed very easily. Consequences for revelation of emails for people are higher than ever.
The Working Solution for Me Now
Password-Safe Files
A "safe file" contains encrypted passwords
I'm using the Password Safe concept of "safe" files containing Blowfish (now TwoFish-) encrypted passwords, developed by Bruce Schneier.
Each "safe" is a file that has a collection of login entries, each containing a name, url, and password at minimum. The program can generate new passwords, that are hard to remember and very hard to crack.
Let's say we create a new login entry for linkedin.com. We generate a new password, and then change our password at linkedin.com to the generated password. Now you have the protection of a great password, and all you have to do is copy the generated password from the "safe"'s linkedin.com login entry every time you log in to the website.
The "safe" file has all the important entries, so it needs to be encrypted itself. So each "safe' needs a master password to decrypt - that is the only password you will need to remember.
How I Use "Safe" Files
I need a central place to store a "safe" file in the Password Safe file format. I choose DropBox because I can easily share the one "safe" file across multiple devices.
For my Mac Desktop: Use Password Gorilla as the interface to the "safe" file on Dropbox.
For my iPad and iPhone: Use pwSafe (port of Password Safe) and their Dropbox Sync feature to access the same "safe" file. A four-finger swipe left and right achieves nice copy/paste from the "pwSafe" app to websites/ other apps that need passwords entered.
There is a good resource for information about other clients that can see safes.
Astute Readers Will See A Problem
it might be a bad idea to store my Dropbox account password in the "safe' file that is on DropBox. I could easily run into a situation where I could lose access to Dropbox and hence all my passwords. I've decided to make a separate "safe" file on a USB key or 3 that I stash and/or carry around with me that contains the Dropbox details contained inside. If I need to remember the Dropbox account password, I can also write it down on a piece of paper too.
In this way, you can safely have ALL your passwords be nice, random long generated ones.