The HOW TO for securing your passwords as well as your daily hug is below.
I'm going to cite a few fun facts first about our brains ability to scale.
- Our brains: one size does not fit all.
Secure password recipes exist a-plenty on the inter-tubes today. Why do you need this one? Because it works for me. Think of this as a cooking recipe. Humans respond to a variety of different food recipes. Technology is no different than food in that regard. You just may realize improved security in your life by using a recipe that fits you best. This is one that works for me.
- Our brain: ten chunk size.
Studies have shown that the chunk size of the brain is 7-9. This is why phone numbers are nine digits and area codes are additional. Nine digits is optimal for people to remember.
- Our brain: 100ms clock cycle.
If you watch a car wheel as a car starts pulling away eventually the wheel will appear to start rolling backwards. Why? When? Why is because your brain has a clock cycle where it only registers information for you to realize ten times per second. When is at a tire rotation rate of eleven times per second. Since you can only process ten-times-per-second then at a tire rotation rate of eleven-times per second the second frame will appear to be at a position going backward relative to the first.
- Our brain: social groups of thirty miles.
Did you know that until 1900 the average person never wandered and met people on the Earth in a radius greater than thirty miles? This is key to our understanding of socialization because from an evolutionary stand point your brain hasn't adapted to a scale of people greater than one would encounter in a less populated world...within a thirty mile radius in a rural setting. Most of our brains evolution was in an environment of only one culture and one language. The majority of people today tending towards living in high-density population cities with a multitude of cultures is also a recent phenomena that happened after 1900.
- Our brain: social groups and one size does not fit all.
One size does not fit all when it comes to social group scale as well. What does this scale mean? It means that any one person's empathy does not scale directly to billions of people and millions of social groups just like you cannot directly remember 100's of passwords. Expecting any single human being to have empathy for all humans is as ludicrous as expecting everyone to remember all passwords for all time where each password is distinct. Empathy for all, peace in our time, will require an indirect network of empathy where each node in the network has empathy for its immediate surrounding nodes and we scale out peace in our time by learning to manage networks of empathy, just as I am instructing you here on building out a network of passwords.
This HOW TO is in the tradition of a cooking recipe. A cooking recipe assumes you know some basics like how to boil water, chop vs. dice, etc. If you need to learn the basics of cooking that is done elsewhere. The same applies here. I'm going to assume you know how to password protect a ZIP file, use Google to find a password generating web site, etc. This recipe is not security optimal but it is easily doable, I use it every day. The recipe incorporates many best security practices. The security weakness is the length of 10. However, I choose 10 because of our ability to memorize 10. I also leave out punctuation to ensure ease of memorization.
- Time to prepare: 2hrs. I rather think that if you care very much about your identity then the time is worth it.
- A text file with a name the ends in ".txt".
- 100 secure passwords. The passwords should be 10 characters long and should not include punctuation.
- 2 USB keys. You want the kind of keys that are metal and that have no flanges. The width and height of the USB port should be uniform end-to-end. The reason for no flanges is that a slim key can fit into any USB port. Many devices group USB ports closely and a flange may prevent a key from being inserted if other USB devices are also plugged in simultaneously.
- Encrypted home directory on a laptop.
- Encrypted phone as desired.
- Printing capability. Your own or go to Staples or other printing place.
- Blank business card for your wallet.
- Create a text password file with your 100 secure passwords on your encrypted home directory of your laptop. If someone steals your laptop and copies the data off of your drive your passwords are protected because the directory with the file is encrypted. This is not protection against the NSA but thieves.
- Create a desktop shortcut such that you will always have your text password file always open on a click.
- Create a password protected ZIP file of your text password file using only your ATM PIN as the password. The security here is that you should always be able to remember your pin and that you treat your USB key like your car keys. If your physical car keys are ever lost or stolen you'll need change keys and locks. If your physical USB key is ever stolen you will need to change passwords.
- Copy the password protected ZIP file to one of your USB keys.
- Have both USB keys on your physical key ring. The second USB key is for data transfers. Never use the USB key with your password file for data transfers. The USB key with your password file is only for your passwords.
- Begin changing your passwords on the Internet moving the passwords in your password file from the list of unused 100 to a new entry in your text file with a new heading for a web site. Create a new paragraph in the password text file with web site URL as the first line. On the next line add the account name and password. If there are any security questions continue the paragraph. Your list of available passwords should get shorter as passwords are moved from the available list to the various paragraphs containing the used passwords.
- Answer all security questions with different passwords and add those Q&A security questions and passwords to the password fie under the appropriate paragraph. Do not answer security questions with actual answers. Banks and other web sites do not care if you type in a garbage answer of a randomized password as the response to your favorite movie, for example. Much identity theft happens not because of password cracking or password theft but because of easily guessed security questions. Use passwords to answer all security questions.
- OPTIONAL: Copy the password file created earlier to your encrypted drive on your phone. Make sure the file is not backed up to the cloud, just on the phone. Be sure to have a service that wipes your phone if the phone is lost or stolen. If it is unclear how to ensure the file is not stored on the cloud or you do not have a service to wipe the phone remotely then don't use your phone.
- Print out a copy of your password file and keep it in a safe place at home on an ongoing basis. I keep that print out with my will. When I die my passwords are with my will.
- Regularly update the password file on your USB key, on your phone and your print out.
- Every password you choose must be unique, taken from the original list of 100 that continues to grow shorter.
- When the list of one hundred is exhausted then you will then need to add 100 new passwords. Be sure to print out that list and update the USB ZIP file especially when you add 100 new passwords.
- At work, copy the passwords from your file to a business card you keep on you at all times. Do not copy anything but the passwords, such as the account names, web sites, etc. If someone gets a hold of your password business card they only have the passwords on that business card and not what they unlock. If someone steals your wallet or purse you'll need to change your passwords on that business card.
- The most important thing you do is the creation of the 100 passwords upfront, copying that password protected ZIP list to your USB key and printing that list out keeping it in a safe place. The protocol above requires backing up your password file on a regular basis. The most important backup is the one where your 100 passwords are initially created. If you ever lose your password file completely and have forgotten to backup your password file then you have all the passwords possible in the initial file.
- Cut/copy/paste of your password is preferred. Malware in the form of key logger will only be able to log the key strokes of cut/copy/paste and not your password. Some web sites do not allow cut/copy/paste of passwords but most do.
- Answering security questions with passwords is also most important.
- Having a unique password for each web site is also most important. Three things are most important. If any one password is compromised then only one web site is compromised.
- In a pinch at work then memorize one of the 10 length size passwords. This is why 10 as a length size was chosen. Do not put your password file on any work property. If need be then use the business card to write down just the password or memorize a couple.
- Use any 10 length size password you have memorized as a common root for other passwords at work. I typically will use a 10 length password plus the business name itself. The 10 random characters provide the core of a secure password. Prepending or appending common words to a secure password does not make that password any less secure. I personally have two 10 character length random passwords memorized at all times.
- Never use the same password twice, especially on web sites you may only use once. This is because passwords are stored on computers that can hacked or copied. That password's security is only as secure as the company that stores it. Never use the same password twice.
- Some sites require punctuation in passwords and the ones in the recipe call for no punctuation for ease of memorization. In these cases I recommend you pick a single punctuation character and stick with it.