Ok, I’ve been having a debate in my head for about a week now, and so I figured I’d open it up for discussion:
Right now, I have three classifications of passwords:
- "Secure" – A memorable, yet obscure base (would look random to most people) with host-specific unique data inserted within (via a mental hash function)
- "Screen-door lock" – a simple mixed case alphanumeric password I reuse across multiple hosts. This is for hosts (typically, random Web sites) where it would be mildly irritating if someone had access to my account…
- "Who cares" – This is for the hosts that I don’t care about yet require me to input a password. It is a completely insecure, throwaway password. It could probably be brute-forced in about 30 seconds.
I began thinking about whether or not it would be ultimately more secure to have one classification of password (really secure, pseudo random noise) and store those passwords in a single, encrypted password store behind a single "secure" password. This store would obviously be very backed up and treated as other personal data.
Clearly, this is a single point of failure, so if someone compromises my password store, everything is compromised. On the other hand, each individual password would be far less guessable…
It looks like Universal Hub is either changing focus or has been hacked…
So the account compromises I mentioned the other day seems to be a symptom of a bigger epidemic. Several friends’ machines had a rootkits installed on them, and it took a while for my friends to contain and repair the damage (some machines are still offline). I am feeling a little bit better because it is seeming less likely that I was the cause of these failures and more just a victim, but I still used the same password on multiple machines, which is bad news. It is comforting that several of my friends had the same bad habit, so at least I’m in good company. :P
I’ve reset my passwords on those boxes to random characters and am using ssh keys to authenticate instead. There are a few systems I can’t do this on, however. CSH, for example, requires me to password authenticate to retrieve my email and use other house resources, so I can’t set that to a random password. I have, however, picked a password that is unique to each system where I have to use password auth and have unique ssh keypairs (with unique passwords) to each machine I have physical access to. I’ve also decided to never jump out from one remote machine to another (for instance, log in to CSH, then from there log into Matt’s machine), so if the first machine is compromised I don’t have to worry about some rogue sshd snarfing my password (which was one “feature” of the rootkit used in these attacks). Finally, I will change all of my passwords every few months.
As far as I can tell this is about as good of a policy as I can come up with. Any suggestions are appreciated..
I had a strange question asked of me today… Matt Weaver asked me if I had tried to ‘su -‘ on his machine today… I hadn’t, which opened a huge can of worms that ended up with me (and others) believing that my password was somehow obtained and used without my knowledge by persons unknown. This problem was exacerbated by the fact that I was using the same password on many systems. If the person was a good cracker, they would have covered their tracks, so it’s difficult to tell how long they’ve been at this, but if we are to believe logs it seems like it was only today (er, wednesday).
I do my best to choose good passwords, but I guess I had one bad habit left, which was using the same password on multiple systems… I suspect that many of you reading do this, so I don’t feel so guilty, but still…
Anyway, I have gone through all the Unix systems I have access to (or, at least the ones I remember) and changed my passwords to something unique to each system. I’ve also deleted any ssh keys I had floating around as they can’t be trusted anymore. At least this way if this happens again, using unique passwords on all the various systems will limit the blast radius. If you’re reading, I hope that was fun for you.. (P.S. If I have an account on your machine and I haven’t mailed you, let me know because I might have forgotten about you).
In less aggravating news I saw Henry Rollins tonight doing his Spoken Word act… As always, a wonderful show (although the seats sucked).