Mr Kissell’s Take Control of Passwords is the latest in the Take Control series, and it is a well written and well researched ebook that is going to give you a lot of information that you need, even if you’re not sure you need it; a lot of very good advice; and a coupon for a discount on 1Password. The coupon is worth almost the entire price of the book, so go buy it and read it. You’ll educate yourself and get a price-break on an excellent software product in the bargain.
This is the second edition of this ebook, and not having read the first I can’t say what’s changed, but this edition is longer and has a lot more information in it.
For anyone who knows me, you know that password security is an issue that is near and dear to my heart. I wrote a short piece on it on my blog and have written quite a bit on various mailing lists over the years. So it was good to read someone else’s take on password security and find that we agreed on pretty much everything. Sure, I have some minor disagreements with a few points, but let me be clear that nothing Mr Kissell says is wrong, he just has a slightly different stance than I do on a couple of things.
“If you feel that some of my recommendations are inappropriate for your situation, please don’t hesitate to ignore (or modify) them. Choose a shorter or more memorable password than what I suggest. Use the same password in more than one place. Keep your passwords written down in a notebook beside your computer.”
While I agree with the spirit of that statement, I have to disagree most strongly with some of the specifics. Most especially, re-using a password. This is the single most common mistake and it is in my opinion always a bad idea. What you are doing when you reuse a password is giving every person/organization that you use that password with potential access to everything else that uses that password. No matter how low your risk is, having everything you do online exposed would almost certainly be embarrassing1. Just having your search history exposed could cause all sorts of issues. But the main reason that I disagree with this is simply because it is a bad habit to get into. Sure, you might use ‘avalon12′ for all your web-boards thinking that it’s no big deal if someone figures it out. And it might not be. But what if you become very involved in a site, posting a lot and in private areas where you are just talking to a few select friends about something very personal? Are you going to remember to change that password? Unlikely.
With something like 1Password it is trivial to always have a secure password for everything, which means you never need to re-evaluate if a password is ‘strong enough’. For anything on the Web I always let 1Password create a password and chances are good I never even see it.
Mr Kissell spends some considerable time talking about the two different types of passwords. This is useful information if you’re storing passwords the old fashioned way (in your memory) but is more an interesting thought experiment otherwise.
Mr Kissell mentions that you should not use ‘high-ASCII’ characters for logging into OS X. I was unaware of the ‘high-ASCII’ problem in login passwords, but since it affects 10.4.0-10.4.2 only, I feel safe in ignoring it. I don’t use ‘high-ASCII’ in my user account password because I often login remotely via a command line, but I do in my admin account since I am not concerned with ever logging into that account remotely.
The section on devising a pattern for passwords you can remember and rebuild is interesting, but I think for the vast majority of people, those who most need remedial password assistance, it is way beyond them, they get confused at the idea of conflating numbers in with letters; building a base password and then modifying it based on the web site is effective, but takes some mental gymnastics that require more practice than most people are willing to give.
Joe Kissell is the type of person where I can say, Hey, I have a nifty trick to convert Celsius to Fahrenheit. Take the degrees in C, double them, subtract 10% and then add 32. (100*2= 200 -10% = 180 + 32 = 212). Lots easier than that 5/9th stuff!” Joe will get that. Most people will look at me blankly and say, “Wha?” If you understood my quick and easy C to F conversion, then the mental agility of base passwords and site specific modifications will likely make sense to you, but really, why bother? There are better ways, and more secure ways.
On the issue of having your screen-saver lock your computer, Mr Kissell opines,
“If you use your Mac only in a setting where you needn’t worry about someone else walking up to it and accessing your accounts, leave this disabled….”
Again, I have to disagree with Mr Kissell. My desktop machine sits in my office in my house. I am not worried about anyone walking up and accessing my files, but I lock my screen because with the screen locked anyone can walk up to my machine, click ‘Switch Users’ and login with their own user name. There is no chance of their accidentally losing my place in a file, stopping some video encoding, closing a window I wanted open, or navigating away from a web page I was in the middle of reading. This has nothing to do with security in this case, it has to do with convenience; mine and everyone else’s. If you’re single, living alone, and in a remote cabin in Montana then sure, locking your screen is probably not necessary.
“By default, Mac OS X logs you in automatically when you turn on or restart your Mac”
This is true if there is only one account on the computer. As soon as you create a second account, Mac OS X ask you if you want to disable Automatic Login. In most cases, you do. Even if you have one user, you still might want to disable it. It should always be disabled on a laptop as Mr Kissell says, but I also recommend that the Guest account be enabled on any laptop as this means the laptop is usable and decreases the chances that time will be spent trying to get to your personal files.
Perhaps the most important topic covered in Take Control of Passwords is the Emergency Password Plan. This is the biggest issue to password security and it means trusting someone else with access to all your data, every password, etc. When my step-mother died one of my tasks was to get into her computer. My step-mother was not a security freak, so it was pretty easy for me to figure out her passwords. But if I got hit by a truck, no one would be able to guess my passwords. Joe has some strategies, but I’d like to add one more, which should work for anyone who is a security freak AND doesn’t require trusting anyone too much (this isn’t what I do, my wife has all my base passwords in her computer’s keychain).
Keep a USB drive on your keychain. Have on there an encrypted html of your 1Password data and keep it updated. And keep an encrypted disk image on the drive that contains the password to the html. Make the password for the encrypted dmg something that someone could figure out. Or put that password in a lock box, safe, lawyer’s file, or spouse’s brain. the information that you are trusting someone else with doesn’t give them access to your information unless they ALSO have the USB thumb drive.
There is one issue of Password Security that Mr Kissell does not cover, and it is the issue that causes the most trouble and is also the most common: the shared computer accounts and emails. So many people have a single user login for their computer. You have a family of five and the computer is used by all of them, which is fine, bu they all use the same login. This is a disaster waiting to happen, and a security nightmare. Everyone’s passwords end up jumbled together and there is no security at all.
OS X makes it very easy to create and manage multiple accounts, and this is the first and absolutely crucial step to having any sort of security. Everyone who uses the computer should have their own account. Whichever adult is most nerdy–er, techy–should have access to the admin account, and only that person.
One last issue that Mr Kissell touches on is the issue of password resets and security questions. Anyone who’s read my aforementioned blog post knows my solution to these two issues, but I will reiterate.
For password resets use a free mail account (Gmail, Yahoo, &c) for registering with all web-sites, but use it only for this purpose. Never send mail to it yourself, or send mail from it anywhere. Password reset requests will go to this account and will not show up in your generic email.
As for the security questions some websites use, I treat these as secondary password fields. I put in randomly generated passwords of more than 10 characters and I let 1Password sort it out.
Web site: What’s your mother’s maiden name:
Me: xmHb157C8JBMvX9Lh0dF (
That works quite well, though some web forms will only allow letters or maybe numbers in these fields.
Anyone who is up on Password Security will note, and wonder, why neither Mr Kissell nor myself have even mentioned two-factor authentication. I can’t speak for Mr Kissell but as for myself I have to say that in general, they don’t work very well or are horrifically expensive or are massively inconvenient. Home computer biometrics are trivial to bypass (and most Enterprise/Corporate biometrics as well) and the physical dongles are simply not widely supported. In fact, the only two-factor login that I know of that is at all successful is the World of Warcraft Blizzard Authenticator; which is only useful and successful because it is available as an iPhone application or as a very cheap USB dongle.
1 As an example, in checking some facts on some emails I was replying to, last week I googled for “pedophilia laws”, “Nazi organizations near me”, and ‘”thermite”. Could be a bit of an issue depending on how that information was disseminated.
Thanks very much for your detailed and thoughtful review. I thought I’d chime in with a few comments.
First, the disclaimer you quoted was there at the insistence of the publisher. As I hope I make clear later in the book, the only situation in which I truly think it’s potentially maybe sorta OK to reuse passwords is in very isolated, low-security situations. But even though I’d never reuse a password personally, and even though I preach the logic of using something like 1Password to keep all your passwords unique, I recognize that not everyone has the same security needs I do, and I’d rather people took some of my advice than none of it!
That’s just one example of places in the book where my advice was formerly much more firm, but was softened due to the considerable push-back that occurred during technical review and editing. The recurring theme was, “Yeah, but you live in a big city and have a million accounts and do all kinds of geeky stuff online… someone who lives out in the country and does nothing but randomly surf the Web is going to reject all these requirements as irrelevant to their situation and conclude that the book is worthless to them.” And that is, of course, true to a certain extent.
The same goes for the tricks to remember passwords. If I had my druthers, I’d leave that whole bit out, because that’s not what I do (I used to, but not anymore), but I’ve had a shockingly hard time trying to convince certain influential people in the Mac world that it’s really OK to not keep everything in your brain, and that you can really trust programs like 1Password (or, failing that, a piece of paper). So I wanted to present a plausible alternative for people who, despite my recommendations, are going to be stubborn about doing things the way they feel safest with, and at least make it as easy as possible.
As for shared accounts and email… I’m surprised no one brought that up previously, because I would have loved to write a rant about what a bad idea that is – and maybe I will for the next edition! I can see it on a media center Mac or something, but honestly, that’s so far from what I consider rational behavior that it didn’t even occur to me to say anything. It’s like not bothering to mention that you shouldn’t take your new toaster into the bathtub with you. :-) Of course, my bias comes from having always lived and worked in situations where Macs outnumbered humans, and clearly that’s not always the case!
Finally, as for multi-factor authentication: I do talk about it, on p. 101-102, in the context of using biometric devices.
Cheers,
Joe
P.S. In the very first line of your review, you say “Mr Kissell Kissel’s…” Of the many ways my name has been misspelled, that’s a first :-).
Fixed the typo on your name, and I completely missed pages 101-102 both times I read through the book. Must have been too early, or too late, or too something.
As for shared accounts, it seems to be the norm with home computers, Windows or Mac though it makes more sense in Windows (Windows is nigh-unusable as a non-admin user, believe me, I’ve tried). Almost everyone I know has one login, even across multiple machines and multiple users. Even my [REDACTED FAMILY MEMBER] who should know better. I get emails all the time and I have no idea who they are really from because anyone in the family might be accessing any one of the email accounts. His/Her kids have retreated to Facebook for email. Ugh!.