K12 classrooms – and most families – have bad password practices. Passwords for Google Classroom accounts are often derived from usernames. That password is then reused when signing up for other online accounts. This violates three of the most important rules of protecting online privacy and identity. From Krebs on Security:
- Do not use your network username as your password.
- Avoid using the same password at multiple Web sites.
- Never use the password you’ve picked for your email account at any online site: If you do, and an e-commerce site you are registered at gets hacked, there’s a good chance someone will be reading your e-mail soon.
xkcd explains the dangers of password reuse.
“Password reuse is what really kills you,” says Diana Smetters, a software engineer at Google who works on authentication systems. “There is a very efficient economy for exchanging that information.”
Source: Kill the Password: A String of Characters Won’t Protect You | WIRED
According to security experts, today the industry is dealing with a password reuse crisis. In the past few weeks, account breaches have been reported by LinkedIn, Tumblr, VK.com, Fling and MySpace – bringing the total number of compromised accounts to more than 642 million.
“We know that attackers will go for the weakest link and that is any user who reuses their passwords. It’s a major problem,”
Source: No Simple Fix for Password Reuse
At most schools, student identities are protected by weak passwords trivially derived from usernames and reused everywhere. Once someone gets ahold of your email password, they can reset your passwords elsewhere and pwn your life. When you reuse passwords, a data leak on a forgotten site can be escalated into takeover of your email and your identity.
What to do? The Smart Girl’s Guide to Online Privacy by @violetblue is a great primer on privacy and passwords. Chapter 10, “I Hate Passwords”, is eleven pages of good advice on creating and managing passwords, from which I crib below.
TLDR: Use a password manager and never reuse passwords.
If you decide to use a password manager, these great little apps can generate really strong passwords for you whenever you need one. You can also use password generators on trusted websites, such as LastPass or Norton.
Follow these rules and you’ll get better passwords:
- Make strong passwords that are at least 12 to 16 characters long.
- Don’t use pet or family names.
- Don’t use your address, Social Security number, birth date, or other personal information.
- Never recycle or reuse a password— not even once.
- Don’t let Chrome, Firefox, Safari, or any other browser save passwords for you.
- Use password phrases (usually six or more words long) for the best security.
- Include capital letters, numbers, and symbols if the app or site allows it.
Source: Smart Girl’s Guide to Online Privacy
But the best passwords are those generated by password managers.
Even better is to use random unmemorable alphanumeric passwords (with symbols, if the site will allow them), and a password manager like Password Safe to create and store them.
Source: Choosing Secure Passwords – Schneier on Security
Password managers like LastPass and 1Password save all of your passwords safely in a vault and encrypt everything. That way, you have them all in one place, no one can accidentally discover them, and you can make really complicated passwords, because the manager will keep track of them (and remember them) for you. You use one master password to unlock the password manager, and it saves and encrypts your passwords either locally or on its site. Most of these applications also have crazy-awesome password creators that you can and should use to generate super-strong new passwords with one click— and the password app automatically saves them for you.
Source: Smart Girl’s Guide to Online Privacy
I use 1Password to generate passwords. You can adjust the password recipe to accommodate any site’s password rules. Here’s the recipe I usually use.
That’s 50 characters of random, which makes for a good password. Most sites will accept 50 characters, but there are still plenty out there that balk at passwords over 8, 10, 15, or 20 characters in length. Banks, unfortunately, are known for their short password limitations (and crufty password advice). I start at 50 and work my way down. “Complexity is nice, but length is key.” Go for long passwords.
Update: The NIST recently announced new password rules that recommend sites allow a maximum length of at least 64 characters. 1Password updated its password generator to support a 64 character maximum.
When choosing a password manager, get one that runs on all of the devices you use. I’ve used 1Password for years. It offers iOS, Android, Windows, and Mac clients. It can sync your passwords between devices via iCloud or Dropbox. If you need to share passwords among family or team members, check out 1Password for Families or 1Password for Teams. My family uses 1Password for Families. In addition to personal vaults for everyone, we have a vault shared amongst the whole family for streaming video and audio accounts. My wife and I have a shared vault for bank, medical, insurance, and other household accounts. Having log in information for all joint accounts in a shared vault improves our family’s bus factor.
How passwords are stolen
Massive data breaches are not the only threat. Be wary of shoulder surfing and social engineering.
There are simpler ways to get your password though. One is shoulder surfing, where someone watches over your shoulder as you enter your password on your computer or phone while you’re logging in on the bus or plane or at a café. Social engineering is another way that you can have your passwords stolen. Basically, social engineering involves attempts to con you into telling someone your passwords. The person conning you might call you and pretend that they’re tech support for Gmail, telling you that you have email stuck somewhere and they need your password to log in and free it up. They might know the names of your friends or colleagues, as well as their phone numbers and email addresses— all of which they can find online via social media sites like LinkedIn, Facebook, Twitter, and people-search sites. Malicious people can also use information they find about you on Facebook and other sites to correctly guess the answers to password-reset questions.
Here’s one thing to know: if a teacher, boss, TSA agent, police officer, or anyone else tells you that you have to give them your password, you shouldn’t do it unless you know it’s against the law not to.
If you share an account with friends or family, do it the smart way. Don’t use a password that you use anywhere else. Treat the shared account like any account that can get attacked, but know that its security is weaker than that of an account that you have total control over because it has a shared password. Don’t connect that shared account to any other accounts; otherwise an attacker could use that connection to get into those accounts.
When sharing passwords with family, consider using a password manager that accommodates shared vaults.