This one’s a bit embarrassing.
I got down to Bandon late, but ahead of the 2 guys I was sharing a 3-room AirBnB with. I was tired and bleary and basically got inside the door, took my shoes off, crawled into bed, and went to sleep. The next day, I was trying to find my laptop and – uh-oh, where’s my laptop, again? I appear to have left it in the car, unlocked, in plain sight and maybe it grew little primordial legs and scampered off.
One thing I noticed is that the Pacific Ocean looks pretty much like it did the last time I looked at it. I stood in the bracing wind for a while, inhaling the spray-filled air, and watched the water go back and forth. It looks like water, still. Well, that took a few minutes. I worry sometimes that I do not have the heart of an artist, because I am fairly unmoved by sights like that – after a few minutes everything becomes “the place where I am” and I lose interest unless there’s something I find compelling. Reality, of course, is fractally detailed – I am quite capable of getting interested in individual grains of sand or shapes of rocks but again, those quickly become part of my reality and I move on from them mentally. I don’t get a lot of pleasure out of standing and looking at the Pacific Ocean, in other words. My mindset is more, “yup, there it is.” I probably should have locked the car, huh?
I used my phone to change the passwords on my important accounts, but even then I was not too worried – the laptop is locked with a 6-digit PIN and my email (which is on there) is on an encrypted partition that is usually dismounted. Unfortunately, I tend to turn off “find my device” tracking on devices because I don’t trust vendors like Apple, Microsoft, or Google not to turn that into some kind of clever new way of delivering marketing bullshit. So “find my device” is not an option. I have to admit it’d be pretty cool to be able to locate it right now, but, whatever – currently its trackpad is broken, the software set up of the device is a mess, and I was going to replace it anyhow. Mostly, I’m not concerned with recovery as much as I am with removing credentials from the device. That brings me around to the purpose of this posting: it’s time to update my published policy on passwords.
In [stderr] I presented a threat model for device passwords, above. It’s pretty much unchanged, though I have allowed myself to evolve toward vendor-specific solutions instead of using an external password manager like Lastpass. I.e.: I use apple’s password manager (and cloud storage) for passwords on Apple devices, and I use Firefox’s built-in browser-based password manager (and its cloud storage) for passwords on Windows devices. That technique evolved because I’ve been noticing that there’s about a 50% app overlap – some stuff is purely garbage (e.g.: some camera app for iPhone) for one platform or another, or a login required by the manufacturer of a graphic coprocessor card. I really do not care if someone is able to jack that account and mess with their precious marketing data. So, now I break my authentication world into:
- Apple Stuff
- Windows Stuff
- Valuable Stuff (ebay, amazon, paypal, freethoughtblogs, steam)
There’s a very limited amount of “Valuable Stuff” that goes in both worlds’ password vaults and everything else is realm-specific. What about “Crap”? I don’t worry about it, at all: that’s the stuff like nVidia’s stupid forcing me to login in order to get GPU updates. Whenever I need to login to something that’s crap, I just have them email me a new password, use it, and don’t even bother saving it.
All of this means that my authentication memory has boiled down to 3 credentials: the PIN for my Apple stuff, the PIN for my Windows stuff, and the passphrase for my data encrypted volume(s). On the volumes I use the same key because if someone is somehow able to break one of those, they own all my stuff anyhow.
Now, let’s talk about PINs. Apple defaults to trying to offer you a 4-digit PIN. Please don’t use a 4-digit PIN, OK? Apple doesn’t mention to you, but you can go into your settings and set a 6-digit PIN. That’s much better. Another thing a lot of Apple users don’t know is that you can train up to two face recognition images. That’s useful for me because I wear glasses except sometimes I push them up on my head or take them off while I’m napping and it’s nice to learn that Apple apparently thinks I am a pair of glasses – or, at least, that’s the primary distinguishing factor between two versions of Marcus. I also use text verification for authenticating my Apple and Windows world accounts so if I add a primary device, I have to use one of my other devices to declare it as a primary (i.e.: if I get a new iPhone I’ll get a text on my iPad that I can use to verify my new phone).
So, that’s the state of authentication today. As you can expect, I find it … interesting. Basically, what the state of authentication reveals is nothing about security at all, but rather how thoroughly our customer experiences are dominated by the convenience of our vendors. That’s as it may be.
Let me entreat you one more time, if you are still using passwords like a “normal” person: stop. Let your devices’ built-in password manager suggest gnarly long passwords for each account that you have, as you change them, and do not ever use the same password on more than one account unless it’s a garbage account. That’s the way that you get caught out and have everything get compromised. [You’ll notice that my strategy of using a PIN to unlock password vaults in each “world” of devices also plays to defeat that] Also consider that your email account, since it can be used to reset passwords, is particularly important. In my case, I host my own email so that is separate from the google/microsoft-verse and I have a 26 character random password on my email, which is printed out on a label that resides [deleted]. The main thing – I’m going to repeat myself – is not to use the same password in two places, ever. A secondary goal should be do not waste your time remembering passwords – the technique you use to unlock your password vault should be something outside of the universe of internet passwords and PINs. That means it’ll never be capturable/interruptable by the network. I used to have a negative opinion of Apple’s face recognition but now I see it as a huge plus: the way I unlock my password vault in that universe is completely disconnected from that universe.
One of the fun things I recognized in the Vault 7 code which (at the time) people didn’t immediately understand was a collection of plug-ins (mini apps) for smart televisions, that replaced the DNS names for the time-servers for the television with a static IP address. Why’s that? Well, a typical low-quality random number generator may use the system time as a seed. So, if you control the time server, when the system tries to generate a random number, you know the time and can predict the ‘random’ number by running the time through the same algorithm. It’s pretty clever. Back in 1992 when I was at TIS I hypothesized that it would be possible to make a random number generator that behaved sort of like it was under the uncertainty principle: if measuring it changed it irrevocably then someone trying to sample the random number would alter it and couldn’t use what they had sampled. So, I implemented my own version of /dev/random by shoving a bunch of system states (hard drive head position, control status registers, network buffer control block pointers, hardware clock, and process table interrupt vectors) through a cryptographic hash function. Those were things that, presumably, changed whenever someone sampled the random number pool, even if they were using another application like a kernel debugger. My implementation was pretty naive but it found its way up to MIT and wound up being re-designed to be much better and eventually became a part of Linux.
I’m gonna just throw this out there: if you’re still using the same password on more than one non-crap account, you’re the IT equivalent of an anti-vaxxer. Just get with the damn program, already, mm?