Lodur over at Matticus’s post about password safety got me thinking. Parts of my day job involve computer security, so I’m going to go over some of the basics and tell you all what I do.
First off, as Lodur said, using a word for your password is bad mojo. Account crackers have virtually unlimited means to guess different words or combinations, and if you use a word in the dictionary, chances are they will eventually guess it, log in, shard all your gear, sell the shards, and move your cash to one of those gold spamming characters.
Next issue is how often you use your password. If your comment login for wowinsider is the same as your WOW login, all it takes is for a blogger to make a mistake and your password becomes essentially public. Bloggers make mistakes- we started blogs, didn’t we? More to the point, every site you re-use a password on is another vector for someone to get the keys to your whole online life.
After password re-use and password guessability, your largest risk is only a risk if you take it: sharing your account. I don’t care how cool your brother is. If you give him your password, he’s statistically most likely to burn you. Maybe not deliberately, but statistically. I’m going to be called a jerk for this one, but nobody, not even my beloved wife, knows my password. I would take my trust in her intentions to the grave, but if a mistake is made and my account gets ruined, I want it to be MY mistake. Never share a password.
Another issue is stagnancy. If you have a completely private, hard to guess password that you only use for WOW, but you haven’t changed it since 2004, you’re risking your account. The chances of some long shot hack in any given month are rare, but the longer it’s been since a password change, the more likely you are to be on some hacker’s list of accounts with known passwords.
That’s the theory, onto the practical stuff. What can you do to alleviate some of these issues? First off, memorizing multiple hard passwords is something only autistic savants can do. Create a weak stupid password you don’t care about, and use that to comment on wowinsider. More importantly, categorize all your logins by how important their security is.
Now all the logins you really need to keep secure should have unique unguessable passwords. How can you do that? The miracles of open source software come in here: go get Keepass from sourceforge.
Keepass is a wonderful little tool that gives you a master key to your online life. You create a key file, and you can add logins to it. It’s not something you want to use for really high importance stuff (online banking, paypall, etc) but for something like WOW, it’s ideal. Please note- this will not help you with some of the vulnerabilities I outlined above. You still have to change your public passwords once in a while, and never share them in order for this to be worth it. Some other helpful hints- there’s an option for the program to clear your clipboard once you’ve pasted the password. Enable it, but be aware that it won’t work if you have some other sort of clipboard manager program. This helps avoid keyloggers and clipboard scanners. It’s not perfect, but it puts you in the top 1% hardest to crack accounts, and that’s good enough for me :)
The important thing about keepass is that your master key should be hard to guess, and never used for anything but the keepass database.
Making this one hard to guess password is important- what I suggest to do is take two words you can remember, interleave the letters, and add two numbers in random positions. So, “dps” and “scrub” become “sdcprsu65b” It’s going to be hard to remember this, so practice typing it out for a few minutes once a day for a few days.
Once you have a keepass file created, creating a key is easy. Just click on the “new” button. Here’s a sequence of screenshots for the process:
This is the box you get when you create a new login. The only thing you need here is to click “gen”, however putting a title will help you remember whether this is your WOW or WordPress account.
This is the cool part! Every password will have restrictions. I don’t know what they are for WOW as they only publish the minimum requirements, however I am assuming they accept letters, numbers, the “_” and “-” characters, as well as special characters. If they don’t, just untick whatever box they don’t support. Every site everywhere should accept numbers and letters though. As for the maximum length, go wild. Put as many characters as you want, but for all intents and purposes, anything above 16 is unbreakable except by the NSA. My Google password has over 30 characters. Collecting entropy I’ll explain later, so click on “generate”.
Here you’re going to do something called “seeding”. Generating a random number is something humans are terrible at, and something computers are incapable of. Pseudo-random numbers, however, serve our purpose. Pseudo random number generators will always generate the same random sequence of numbers with the same “seed”. If your “seed” number is sufficiently random and unguessable, the number generated by the pseudo-random number generator will be actually random. Why is this important? For WOW, it isn’t. For the NSA, they know all the good pseudo-random number generator algorithms, and can often infer patterns if the same seed is used more than once. Solution? Collect entropy! Click on “use mouse as random source”, then wiggle your pointer for all you’re worth over that dot pattern. Unless you’re really precise, you won’t even know what random seed the program will get from this!
Once you’re done, you’ll have this screen. The highlighted part tells you how strong your password it. Green is good. The number of bits is basically based on the number of characters you picked. Here’s the one I generated to take these screenshots: “hK6FrE;zjkfy*Y=(4″8S”. Dictionary attack that, stupid gold farmers!
Next up- the blizzard authenticator. The only time this will help you is if someone has your login, but not the key fob (the little code generator they ship us). Of course, anyone good enough to crack your password can probably crack your home address, phone number, or email, and as far as I know, that’s all Blizzard needs over the phone to deactivate the requirement for the authenticator. This is called a “back door” and is used to make the system more usable- imagine how horrible you’d feel if you lost your authenticator and had to start a new account. Unfortunately, it also makes it less secure. Still, adding any layer of security to your login won’t make you less secure.
Okay, well I’m going to go and soak my fingers- I think this might be the longest post I’ve written thus far. I’m sure I missed some stuff too, but I’ll be responding to comments as the come, so ask away.