Passwords are so over
I'm having a ton of fun at my new job as CTO at PDA (a small behavioral healthcare software startup). Part of my responsibilities are to think deeply about security and privacy both for my personal credentials and at a broad institutional level. Governance, process, the way that people and processes will react in the presence of various failure scenarios. This was a big part of my work at Canonical as well, and the stakes are high whether you are talking about managing security and integrity for an operating system or for people's medical records.
When working on security, it's useful to start at the end, thinking about what you will say when you have to show up in court to testify about a break-in or breach, or what you will write in the announcement to your friends and customers explaining what safeguards you had in place and why they failed. This means working backwards from the assumption that a break-in or breach will happen, that someone with credentials will misuse them, and that failure modes are unpredictable. This mindset should help you design systems that leave you with a clean conscience when the worst happens.
The sophistication of attackers far outstrips the situational awareness of most professionals who have credentials for secure resources. This interview with an FBI security expert says that often companies and people don't know they have been hacked until long after the fact, and that assertion is consistent with my own real life experiences. This presentation from the Google anti-abuse team outlining the scale and sophistication of attacks on individual user accounts is sobering, and explains why passwords alone are not enough to secure any account.
I've been incredibly impressed with the way security has been handled at PDA, and I'd like to outline how my personal credentials are now being managed. There are other facets to security as well, but the thing that most professionals can take personal responsibility for and make immediate improvements to is the way they manage their own credentials. The hardest thing is figuring out a set of simple rules that aren't so inconvenient they prevent you from doing your job, and I think thats the part where most people give up. I hope that by sharing the rules I'm using, it gives you some practical ideas for how to better secure your credentials that you can put into practice right away.
- Mobile phone - I use an iPhone, with a screen unlock code and both Prey and Apple's remote wipe technology installed to be able to track my phone when lost and if necessary, erase it completely.
- Laptop - I use full disk encryption with a strong password and a screen that immediately locks, and Prey installed to be able to track my laptop and if necessary, remove credentials and disable the computer.
- Passwords - this part is the most interesting. I am using the LastPass password manager with a strong password and 2-factor authentication. 2-factor authentication means that in addition to my strong password I need to enter a code from the Google Authenticator app installed on my phone. LastPass then generates and manages my passwords for every single account I have anywhere. This includes passwords on servers, passwords on websites, passwords to unlock encrypted drives, everything. While it felt tedious to set this up at first, it quickly reduced the stress I felt around passwords - I no longer am tempted to reuse passwords between sites, no have headaches from trying to remember multiple passwords, and I know that the passwords I'm using now are much stronger than anything I would have come up with on my own.
- SSH keys - many folks don't use SSH keys, but if you do: use a separate strong key for every computer you use, make sure you are using full drive encryption, and use a strong passphrase on each key along with ssh-agent so that you can still get work done without entering the passphrase hundreds of times a day.
In summary: use a password manager such as LastPass, use 2-factor authentication, encrypt your hard drive, and use anti-theft software such as Prey. An alternative to LastPass is KeePass, and an alternative to the Google Authenticator app is a YubiKey. This way of working has tremendously reduced the amount of mental energy required to login to the various systems that I use every day in the course of my work and personal life, and makes me feel more confident that I'm making a reasonable good faith effort to protect the accounts I have access to. All of these things work on both Android and iPhones, on Windows/OS X/Ubuntu laptops, and are available for free.