So last night, I finally got around to changing my yahoo and gmail passwords and set up two factor authentication. This sounds like a very boring story, and it is, trust me, but it's also an example of the password equivalent of completionist doctrine: it must all be done.
Because Heartbleed, and why not.
I have a locked and secured doc that has a full list of all my accounts and passwords because you get to the point in your online life where everything can't be happy1 or you end up writing an article about how your iPad was bricked because someone wanted your twitter name and infiltrated your entire Apple ecosystem (that article was nightmare fuel and I don't have an iPad). One of the few useful tips I got from the article is having an account that has no purpose but to be a secondary email on all my accounts; it literally does nothing but receive email about my password changes or activities on my account. I call it my keysmash yahoo account that is the recovery backup for every single account I have. The password is a modified keysmash of thirty-two characters, the username isn't much better, and I don't even know it without looking it up.
This is significant because my master doc is huge--I made an effort with anything important to make a strong password that I could also, at least nominally remember. I added app passwords eventually, so it's ridic long. I started off fixing my gmail first and then my yahoo's--each has a specific type of email it receives (one devoted entirely to Facebook and Harrods, because why not), and setting up two factor authentication (kind of fun) on everything and getting more text messages than I ever have in my life.
Here's the thing; online security was not designed for the human brain, or at least not my brain. I honestly don't know who it was designed for except someone who gets off on calculating pi for days on end or has a hardon for prime number memorization, who can think like that.
At work, I have to change the password (upper case, lower case, number, special character) every three months
for my computer, PPM (for looking up defects and modifications for program testing), and my HR login to see my leave and etc. All have a two to three year password memory. My Groove messenger--like AIM, but for work--has another one that can be permanent, thank God. My secure email with Vontage--as opposed to regular email--has to have another one, and I think it has to be changed once a year. Seeing Middleware queues--where webservice calls go to die--needs to be updated every six months. For SQL queries in Oracle, the connection descriptors, usernames, and passwords for six different programs in four environments are each updated four times a year and each program has two to four users. I also have a weird encryption program on my work computer but it changes with my windows login. Oh, and VPN access so I can log in to my work computer from home, Jesus.
In a year as a tester, I will have to create or get updates for about one hundred and thirty two passwords just to log into my computer and do my job.
Online in my regular life, it's more flexible, but to secure my most important accounts, I have to have at least twenty high-security passwords with uppercase, lowercase, special character, number that I can remember off the top of my head and that doesn't count the login for my phone, tablet, laptop, my router login, my wifi login, and my server.
Facebook has an impossible one--I rarely use it, so I don't care that i have to look it up but I do care if someone hijacks it--Apple, Google Every Fucking Thing, Tumblr, DW, LJ, JF, Twitter, AO3, Hulu, Netflix, Roku, Dropbox, Evernote, Trillian, my bank app, my health insurance app, Paypal, Ebay, Sharebuilder, Newegg, my website bank login, cable, utilities, my phone, Amazon, my credit card, my retirement account at work, my health savings account through work, avast mobile security so if my phone is stolen I can erase it, McAfee, okay, I'm getting a headache. All of these have various levels of importance and security, right, because who compares your social media to your bank?
So when i was done with my password changes--smooth segue here--I was looking at my list and started working out how they were connected for vulnerabilities--remember that article I mentioned about the guy and his bricked iPad?--to see which could be considered major keys to everything.
Getting my google, I'm dead in the water, no lie; google infrastructure is like that, so that's a strong memorable password plus two factor authentication. Cracking my trillian gets you my fandom yahoo and google passwords, right, two factor the yahoos, already doing that. Which at this point, I sat down and diagrammed my online life by email address and account and how to limit the damage if one was hacked. The keysmash email seems relatively safe--you know, until fucking Heartbleed--but I ran into a problem here: I'm not a goddamn wizard. Mapping possibilities here in worst case scenario, there's no way I can do a separation that would limit hacking damage to my life to less than 20 percent without magic. For my online life--and real non-work life--I have right now eighty-nine separate passwords that are between medium and high-security needed password levels, and about twenty of them I have to be able to remember off the top of my head because I use them every day.
Modern world, I get that, but every time I read a smug security expert talking about how people are just stupid because they don't choose high security passwords for all five hundred of their online accounts and it's their fault they were hacked I want to destroy worlds or at least explain using small words this isn't (always) an issue of being stupid or lazy; the entire online ecosystem is working against you on this one.
Google alone terrifies me on a theoretical level, because it's linked to so much; Apple, same thing; Amazon, Jesus, it's growing in leaps and bounds; Yahoo, fuck my life; Microsoft, urgh; and I hate to point this out, but there's only so much separation possible. While diagramming my future hacked life, the safest measure seemed to be create a new email account for every single important account (bank, credit card, paypal, etc) to deliver to and secure each one to limit how much information a single hack can get, and it's not like there are a lot of secure online places to set up email accounts, and even if there were, we can't remember that many passwords
I get--because it's all I know--that this is how it is, that there's no way to be invulnerable, but completionist doctrine: I spent most of last night changing all my major and medium passwords because for the life of me, I spreadsheeted my online ecosystem to figure out a way to be a smart user and limit the damage if I was hacked and I couldn't get it below compromising twenty percent of my accounts with one successful hack. I'd get notified fast--I think I got that much from keysmash yahoo account and two factor authentication--and some of the accounts are pretty minor so it wouldn't matter, but--twenty percent
. I'm still working on a security model via staring at my spreadsheet and hating everything, but I keep hitting things i never thought of--my student loan account, places I shopped once or twice where I used Paypal or Google Wallet, and thought about how many places I thoughtlessly and crazily used my credit card and how they link into the ecosystem of online life and what else am I forgetting
? And how many passwords I changed yesterday that I still need to memorize because sure, firefox saves passwords, Chrome saves password, IE saves passwords, but if I get hacked, those are the first against the wall, and what if my laptop is stolen or hacked?
Or I take it to a repair shop and completely didn't think about any of that because apparently in the back of my mind repair guy/customer privilege, like lawyer/client privilege, and its not he knew that file existed, or the random name, or feel any need to open it out of the thousands of files on my computer and be curious why it was protected and crack the password. Because God knows, that was a very stupid user mistake, and for four days I didn't know I was 100% vulnerable in my entire online life.
I can't tell if I'm overreacting yet. I also have five passwords >= 20 characters to memorize, which isn't helping my mood at all. Paranoia: it's totally a thing.Further ReadingYes, I Was Hacked Hard
- welcome to my nightmare