Business Developer

A Lesson on Passwords

Republished - original from 2015

Last week several of the players in our game (QONQR) had their accounts compromised because they shared their username and password with another site, which was hacked using a common security flaw. Although the breach was not our fault, we didn’t know it at the time and it cost us days of effort to clean up the mess.

I wrote a security refresher for everyone in QONQR, and thought I should also share it here. It is important that we all learn from issues like this and in today’s world, it is good to be security minded. It is your responsibility to protect your account as much as it is our job to do our best to protect your information. Most people think that hackers steal people’s identities by hacking into big corporate databases. These are the news stories we all hear. But security breaches are most commonly performed through something called "social engineering", which generally involves human mistakes. This is where someone convinces you they are someone they are not, so that you will give them information they can use to get into your (or someone else’s) systems. Most security breaches are NOT caused by bugs in code, but rather people not doing the right thing to protect themselves. Don’t be tricked into giving your password or other secure information to strange websites or in response to emails or phone calls. These are referred to as "Phishing" scams If QONQR needs to log into your account to try to reproduce a problem, we will reset your password so we can login, then send you the new password so you can change your password back. Never give your password to anyone, not even to us. We don’t need it. No company should need your password to their own systems.

Here are some security tips. It is by no means comprehensive or should be considered the "best" security tips, but it might be better than what you are currently doing. As with all advice, use your judgement to determine if it is the best advice for you, or if there is an even better way for you to project yourself.

Use a Secondary Email Address

Many people setup a Gmail, Hotmail or Yahoo account for "junk mail". These are the accounts we use when we sign up for something, but really don’t want all the spam that we expect will come from the registration. This is very smart. Having a secondary email account to use for all those non-critical websites can help you keep someone from getting into your main email account and all your private communications, should your password (that you probably use over and over) be discovered. However, did you know there are many ways you can have a unique email address for every single thing you register for? There are many services that you can use, but one of the most popular ways is to add a "+" to your gmail address. Let’s say that your email address is SuperAwesomeDeveloperNinja007@gmail.com. You can use this as your email address SuperAwesomeDeveloperNinja007+QONQR@gmail.com. All the email will still come to your email account, but now you have a unique email address that you only used for QONQR. This can help you identify who may have leaked your account, if you start getting strange email or password reset notices. It also ensures that if someone is robo-hacking a site they are much less likely to get into any other site even if you use the same password. For example SuperAwesomeDeveloperNinja007+QONQR@gmail.com isn’t going to work as a login at Amazon.com if you registered with the email address of SuperAwesomeDeveloperNinja007+Amazon@gmail.com when you setup your account, even if you used the same password. A hacker using a program to automatically test millions of stolen email & password combinations against various other sites, isn’t going to work on you.

Use a Different Password on Every Site

This is a hard one. It usually means that you write down the password somewhere and that is even worse. Never write down your passwords or store them in a file on your computer that isn’t encrypted and password protected. But there are a growing number of "Password Manager" sites and apps that can help you have a unique password for every site. These apps include features like generating random strong passwords, auto-logging you into sites so you don’t have to type the hard passwords and even giving you the ability to share a login to a site (the family password for Netflix) without needing give anyone your password. These tools can be a great way to improve your security, but make sure you have a crazy hard password you can remember, which protects your entire list of passwords, and never chose an app unless you must enter that password to see the list of other passwords. Never let an app "auto login" to your master list of passwords. That would defeat the whole purpose. Don’t trust an app? Simply can’t deal with a different password for every site? I agree, that can be a bit hard to deal with. In this case have several different strong passwords, and protect the most critical sites (bank, paypal, credit card) with unique ones.

How to Make a Good Strong Password

There are many ways to make a good password. Here is my favorite. Did you take a foreign language in high school? Did your teacher force you memorize a phrase or conversation over and over? I did. Here is an example from my middle school German class.

"Haben Sie Geld? Nein, Ich bin auf dem Hund."

If you are like me. You will probably never forget the phrases you learned in your youth when learning a foreign language. You can use that obscure bit of your personal history to make a very strong password. Taking the first letter of each word and substituting the number one for the capital "I" in "Ich" and also substituting "@" for the letter "a" you can make this password.

HSG?N,1b@dH.

BAM! That is a 12 letter password with upper and lower case letters, a number and several punctuation marks. AND…. if you are my age, you have managed to remember the phrase this comes from for over 25 years and are very likely to be able to remember the derived password. That is awesome! Now never tell this password to anyone. By the way, this isn’t a phrase I learned in German class, nor it is a password I use.

"HSG?N,1b@dH."would make an awesome master password. Something longer would even be better. But how do I do this for multiple sites. What if you memorized a quote about books and used that password for Amazon.

"Books are like mirrors: if a fool looks in, you cannot expect a genius to look out."
–J.K. Rowling

Making a very strong password from this could be "B@lm:iafli,yceag2lo.-jkr"

Find a favorite quote about money for your bank. Find a shopping song lyric for your credit card. If you are a person who likes to memorize quotes, bible verses, poems or song lyrics you can make a strong password that is easy to remember. You can find a phase that relates to the site you are using, that is even better. Pull out your favorite Pink Floyd lyric from their song "Money" to protect your bank account. Now instead of writing down your password for your bank, you can make a note that says, "Bank – Pink Floyd". That should help you remember which password is for your bank account, without letting anyone else know what it is.

There are many other security things you can do to protect yourself and your identity on line. For the purposes of the last week’s events in QONQR, I ask you to think about how you use your email and your passwords. We work very hard to protect your information, but we cannot guarantee that we won’t make a mistake someday or that the services we rely on don’t have a security flaw in their systems. It is even possible the providers we work with may have unscrupulous employees working for their business, who might have access to our data. If this event has taught you anything I hope it is that you should never rely on someone else to protect your information. Limit the impact of a bad breach by isolating your logins and emails to a single site, as much as possible.

As a final note for developers who may be building sites.

  • Never store passwords, ever!
  • Use asymmetric encryption (hash) and unique salt to store auth credentials
  • Consider enforcing minimum password length and complexity
  • Test your site against common security exploits, such as SQL Injection
  • Don’t use a 3rd party security plug-in, unless you know exactly how it works.

Unfortunately there is no such thing as "absolutely secure", mostly because there is always another human involved somewhere. Be aware of decent security practices, use good judgement, and protect your passwords. Be safe out there.