This article originally appeared in TidBITS on 2015-02-23 at 10:49 a.m.
The permanent URL for this article is: http://tidbits.com/article/15439
Include images: Off

Take Control of Security for Mac Users, Chapter 5: Improve Your Passwords

by Joe Kissell

This article is a pre-release chapter in the upcoming “Take Control of Security for Mac Users,” by Joe Kissell, scheduled for public release later in 2015. Apart from Chapter 1: Introducing Mac Security [1], and Chapter 2: Learn Security Basics [2], these chapters are available only to TidBITS members [3]; see “Take Control of Security for Mac Users” Streaming in TidBITS [4] for details.


Chapter 5: Improve Your Passwords

Whether you’re talking about your Mac’s user account, your Wi-Fi router, any of the zillions of Web sites where you might have an account, or countless other services, passwords are nearly always a factor in digital security. They are also nearly always the weakest link.

If the only thing standing between a random visitor and your data is your password, that password had better be pretty darn strong. Unfortunately, most people use lousy passwords that are easily guessed or broken, for the simple reason that they’re convenient to remember and type. And that’s a real pity—your Mac (including built-in software like Safari and Mail) supports excellent, heavy-duty security methods, but if you pick a terrible password, it’s like using a fantastic lock but then hiding your key under the doormat.

So, for the various ways in which your Mac itself uses passwords, as well as for the devices and services to which you connect with your Mac, one of the most crucial steps you can take to improve your security is to improve your passwords.

Note: If you want to learn much more about password security, I have a book on that subject: Take Control of Your Passwords [5]. It goes into far more detail than this chapter and helps you build a complete strategy for dealing with all your passwords—including complicated special cases.

Learn about Password Security

What’s your password?

Sorry, that was a trick question. If you can answer it, you may have a problem.

Wait, what? Ah yes, I misspoke—you more likely have two problems!

The first problem is that you shouldn’t have just one password, but many; if you do have only one, you’re playing with fire. The second problem is that, of the many passwords you (should) have, nearly all of them should be so long and complex that you couldn’t possibly remember them without looking them up. If you can remember them, there’s a good chance they’re not strong enough.

If you find any of that information surprising or disturbing, read on for an explanation of both the problem and the solution.

When you’re asked to create a new password, perhaps your first impulse is to use the same password you use everywhere else, because it’s easiest to remember a single password. And what is that one password? An astonishing number of people use memorable and easy-to-type sequences like password, baseball, qwertyui, the name of a child or pet, or something snarky such as stopasking. What if they’re required to include a capital letter and a number in the password? Why, they’ll choose Password1 or Baseball2, of course! This is a dangerous habit.

If I found your Mac unattended and decided to break in to one of your accounts, I might start by trying some of the most commonly used passwords—it’s easy to find lists of them online—and if I happened to know anything about you, I might also try words, names, and dates I know you’d remember.

But that’s not how most password attacks work. Sophisticated attackers can use freely available software to crack passwords using a variety of methods, including automatically checking lists of common passwords, trying patterns of all sorts, or even systematically checking every possible combination of characters (up to a point)—all very quickly and effortlessly. Your passwords need to be more sophisticated to resist cracking attempts long enough that the attacker will give up. (How do you come up with passwords like that? We’ll get back to that in a moment—see Create Strong Passwords [6].)

Note: An easier way to get your password than guessing or using cracking software is to trick you into supplying it yourself—for example, using email messages that lure you to fake Web sites. We’ll return to that topic in Avoid Phishing Attempts, in Chapter 8.

In case you were wondering, safeguards designed to lock out people who enter the wrong password too many times in a row are useful—but not a guarantee. The bad guys might be able to go around your password entirely by exploiting a flaw in your security software. Or they might have a stolen or hacked list of encrypted passwords that they can run their cracking software on, without any of those pesky anti-intrusion measures interrupting them. Don’t assume that just because you can’t try more than a few passwords per minute, no one can! These days, password-cracking setups can try billions of password combinations per second.

Now suppose an attacker somehow managed to crack one of your passwords—Twitter, Facebook, LinkedIn, or whatever. Precisely how it happened is irrelevant; the point is that things like this can and do occur all the time. The fact that someone knows your password is troubling, but hey, if it’s “just” a social media account or what-have-you, it’s no real crisis, right? You can change your password and move on.

But, nobody cares about accessing your LinkedIn account. If someone cracked your LinkedIn password, he’s hoping that you used the same password for accounts that have money, personal data, or other valuable resources connected to them—and you’d better believe he’ll try that password with other sites right away. He’ll use your LinkedIn password to see if he can access your Gmail, iCloud, or PayPal account, your bank account, and so on. And these are places where some real damage can be done. For example, someone with your iCloud password could potentially see all the photos on your iPhone, all the addresses in Contacts, all your email, and your exact current location—but worse, he may be able to erase any or all of your Macs and iOS devices and lock you out from using them yourself! This isn’t hypothetical. It has happened.

And that’s why I say it’s a problem if you use the same password everywhere. If every password is unique, then even if one of them is stolen, cracked, or guessed, the damage is contained to that one site or resource.

To summarize: If you want your passwords to do what they’re designed to do—keep your accounts and data secure—they must be both strong (resistant to automated cracking) and unique. If you fail on either of those counts, you’re asking for trouble.

Create Strong Passwords

In Take Control of Your Passwords [7] I get into a little bit of the math that describes what makes one password stronger than another, and how strong is (probably) “strong enough”—by which I mean, highly likely to fend off an attack long enough that it’s not worth the attacker’s time to keep guessing, even at the rate of billions of guesses per second. I also talk about factors that can improve a password’s strength (length, character set, and randomness), because yes, I’ve read that XKCD comic [8] you’re going to mention (everyone does)—and also that other one [9].

But I’m going to forgo all that here and cut to the chase. In my professional judgment, as of 2015, every single password you use should be at least 15 characters long; include upper- and lowercase letters, digits, and punctuation; and be randomly generated. If your password isn’t random, then it’ll have to be much longer to compensate—and many sites won’t even accept such long passwords.

If you had just one or two passwords to worry about, I could recommend any of several [10] decent [11] techniques [12] for creating them from scratch and making them both strong and memorable. As we’ve seen, however, you need lots of different passwords, and it’s not remotely worth your time and mental energy to try to create and remember dozens or hundreds of strong passwords.

So forget all (well, most) of that stuff. Let technology do all the heavy lifting for you!

Use a Password Manager

The best way to improve your password security is to make sure all your passwords are both strong and unique. But since it’s difficult to come up with even a single truly strong password—and beyond most people’s memory skills to recall more than a few of them, no matter what mnemonic tricks you employ—the best solution is to let your Mac (or iOS device) do it for you.

All you need is a password manager—software that can do all the following:

  • Create long, random passwords on the fly whenever you need them
  • Remember all your credentials (usernames and passwords)
  • Securely sync your credentials across your devices
  • Automatically fill in your credentials when a Web form asks for them
  • Use a single master password to unlock all the rest of your passwords

For people who use Apple devices exclusively—all of them running at least OS X 10.9 or iOS 7—you already have a pretty good password manager built in: iCloud Keychain. (For details, see my Macworld article How to Use iCloud Keychain [13].) If you need to use other platforms or older versions of OS X, or if you want extra features not found in iCloud Keychain, use a third-party password manager such as:

  • 1Password [14]: This is my personal favorite—it can create much stronger passwords than iCloud Keychain, hold all kinds of additional data (such as software licenses), and operate on Windows and Android as well as Apple platforms. (If you choose 1Password, you might enjoy reading my book about it: Take Control of 1Password [15].)
  • Dashlane [16]: This well-regarded, multi-platform password manager has quite a few bells and whistles and is easy to use. It hasn’t been around as long as 1Password and has a different pricing model that may or may not suit your preferences, but it’s well worth a look.
  • LastPass [17]: Unlike 1Password and Dashlane, LastPass isn’t stand-alone software but rather a secure Web service that you can access by way of a browser extension. The basic version is free, and the Premium version (which you’ll want if you use mobile devices) is inexpensive.

There are many others, too, as a quick Web search will confirm. Pick any one you like, but trust me—you definitely want to be using a password manager of some sort. It’s the only reasonable way to achieve that crucial combination of strong, unique, and memorable passwords.

Note: Password managers do more to protect your security than just managing passwords! They also store and enter credit card information, protect you against phishing attempts, fill in your address, and perform other useful functions. I’ll say more about these uses in Chapter 8: Surf the Web Safely.

You’ll still need to have a few strong passwords committed to memory, such as the master password for your password manager, your Mac’s login password (which you’ll sometimes have to enter without the aid of your password manager), and perhaps your Apple ID password, since Apple is so fond of prompting you for it every half hour. For passwords like that, sure—you can use techniques like Diceware [18] or the first letter of every word in a sentence [19] if you like. But if there are more than four or five passwords you need to keep in your head, you’re doing it wrong.

Change Your Key Passwords

I’m hoping that I’ve convinced you by now of the importance of great passwords, and once you start using a password manager, it’s easy to make all your future passwords strong. But what if you have a bunch of existing weak passwords or—perish the thought!—a single weak password you use everywhere? Well, it’s time to change them.

If you have only a handful of passwords, you can probably set aside a half hour to change them all, and that will be that. But if you have accounts with loads of sites (I have well over 700), we could be talking about multiple days of work. You’ll want to chip away at those old passwords, a few at a time, until they’re all up to snuff. But please, at the very least, change the following key passwords that are especially crucial to your overall security immediately:

Login Password

Every user account on a Mac has an associated login password. Depending on your settings, you may be prompted for it when you turn on, wake, or restart your Mac, when you install some kinds of software, and when you unlock certain panes of System Preferences. This password protects many aspects of your Mac’s operation including (by default) your OS X Keychain, which in turn may contain numerous other passwords. So your login password is one of the very few passwords you’ll have to commit to memory—either by rote memorization or by using one of the tricks I linked to in Create Strong Passwords [20]. As you’ll recall from Understand the Chain of Access in Chapter 2, it makes no sense to protect a strong password with a weaker password, so your login password should be among your very strongest.

To change your login password:

  1. Go to System Preferences > Users & Groups.
  2. Select your account in the list on the left.
  3. If the account for which you’re changing the password is not the one that is currently logged in, click the lock [image link] icon in the lower left of the window, enter your existing administrator username and password, and click Unlock.
  4. Make sure Password is selected on the right, and then click the Change Password button next to your name.
  5. If you’re running Yosemite or later, you may be asked whether you want to begin using your iCloud password to unlock your Mac (so that you’ll have one less password to remember). I recommend against this, because, as I’ve explained at some length, it reduces your security. Instead, click Change Password.
  6. In the fields provided, enter your old password, enter and verify your new password, and optionally enter a hint. (Even though OS X recommends using a hint, I don’t—it might help you remember your password but it can also give attackers a huge leg up.) Then click Change Password.

Your new password takes effect immediately. If you haven’t done so, consider changing your Mac’s settings not to log you in automatically (see Manage Basic Security and Privacy Settings [21] back in Chapter 3), because your password won’t slow down a thief if there’s never a prompt to enter it.

Wi-Fi Passwords

If you have your own Wi-Fi router, such as an Apple AirPort device, you probably know that it has both a Wireless Password (what your devices enter when they connect to the base station in order to get Internet access) and a Base Station Password (what the owner uses to gain access to the device’s settings)—other manufacturers use different terms, but there are always two different passwords. You should never use factory default passwords for either purpose—be sure to change them so that they’re both strong and different from each other.

Note: I say quite a bit more about Wi-Fi security—and especially why it’s important to use WPA encryption—in Use Encrypted Wi-Fi in Chapter 7. For now, we’re just concerned with the passwords.

Each router does things a bit differently, so consult the instructions that came with it. If you have an Apple product, you can read the manuals online:

  • AirPort Express [22]
  • AirPort Extreme [23]
  • AirPort Time Capsule [24]

Warning! Other devices in your home that use Wi-Fi may also come with a default password, and those should also be changed. For a cautionary tale involving security cameras commonly used for monitoring children, read Peeping into 73,000 unsecured security cameras thanks to default passwords [25] at NetworkWorld.

iCloud Password

Later on, in Chapter 9: Manage iCloud Security, I explain the ins and outs of security for a wide variety of iCloud features. For the time being, I merely want to make sure the password you use for iCloud is a good one. If it’s too weak (as discussed previously), you should change it immediately, because it’s one of your most important passwords.

You can’t change the password from within the iCloud pane of System Preferences, however. Because iCloud uses the same password as your Apple ID, you must go to Apple’s My AppleID site [26] to change it. On that page, click Manage Your Apple ID and follow the prompts to change your password. Once you’ve done that, your Mac and any iOS devices will also prompt you for the new password.

Other Passwords

As for everything else—email accounts, bank accounts, social networking services, and any other app or Web site you might have a password for—you’ll have to go through them one at a time to update any passwords that are too weak. The general process will be:

  1. Log in to your account or app as usual.
  2. Find the location (often in Account Settings) where you change your password.
  3. Use your password manager to create a new, random password. Enter that password on the site and make sure you save it in your password manager.
  4. Log out, and then log back in again (using your password manager’s automatic password-filling feature, where applicable) to confirm that the new password works.

Tip: Both Dashlane and LastPass have nifty features that let you change old, weak passwords for popular sites (like Facebook, Amazon, and WordPress) automatically, without having to go through the usual multi-step process. I wouldn’t be surprised to see such a feature in 1Password before long, too.

A Word about Two-Factor Authentication

Even the world’s greatest password offers zero security if someone else discovers what it is. I’ve mentioned cracking software, fraudulent Web sites, and software flaws as some of the paths that could lead to your password being discovered. But there are plenty of other ways an attacker could obtain your password—watching over your shoulder as you type it in a public place, using malware or a hidden device to capture the keystrokes you enter, employing old standbys like threats and extortion, and so forth. As a result, relying solely on a password for security is unwise.

The most common way of addressing this problem is to give users the option to add a second factor beyond their passwords—typically a numeric code that changes every 30 seconds to 5 minutes. These codes are typically generated by a mobile app, by a small device called a token that you carry on your keychain, or by a server that sends the code to your phone or other mobile device. Since you need both your password and the device that displays or generates this extra code, an attacker with only your password can’t access your account.

Apple [27], Dropbox [28], Evernote [29], Facebook [30], Google [31], PayPal [32], Twitter [33], and a host of other companies offer two-factor authentication (often called “two-step verification”). You’ll have to sign up for it explicitly, because it imposes an additional inconvenience on you in exchange for the extra security. But I heartily recommend enabling that option whenever you can.

Read More: About [34] | Chapter 1 [35] | Chapter 2 [36] | Chapter 3 [37] | Chapter 4 [38] | Chapter 5 [39] | Chapter 6 [40] | Chapter 7 [41] | Chapter 8 [42] | Chapter 9 [43] | Chapter 10 [44] | Chapter 11 [45] | Chapter 12

[1]: http://tidbits.com/article/15376
[2]: http://tidbits.com/article/15377
[3]: http://tidbits.com/member_benefits.html
[4]: http://tidbits.com/article/15375
[5]: http://www.takecontrolbooks.com/passwords?pt=INTERNAL
[6]: http://tidbits.com/article/15439#CreateStrongPasswords
[7]: http://www.takecontrolbooks.com/passwords?pt=INTERNAL
[8]: https://xkcd.com/936/
[9]: http://xkcd.com/538/
[10]: http://world.std.com/~reinhold/diceware.html
[11]: http://www.cnn.com/2011/TECH/web/05/06/durgahee.password.security/index.html
[12]: https://xkpasswd.net/s/
[13]: http://www.macworld.com/article/2058081/how-to-use-icloud-keychain.html
[14]: https://agilebits.com/onepassword
[15]: http://www.takecontrolbooks.com/1password?pt=INTERNAL
[16]: https://www.dashlane.com/
[17]: https://lastpass.com/
[18]: http://world.std.com/~reinhold/diceware.html
[19]: http://www.cnn.com/2011/TECH/web/05/06/durgahee.password.security/index.html
[20]: http://tidbits.com/article/15439#CreateStrongPasswords
[21]: http://tidbits.com/article/15407#ManageBasicSecurityandPrivacySettings
[22]: http://manuals.info.apple.com/MANUALS/1000/MA1613/en_US/airport_express_80211n_2nd_gen_setup_guide.pdf
[23]: http://manuals.info.apple.com/MANUALS/1000/MA1576/en_US/airport_extreme_5th_gen_setup.pdf
[24]: http://manuals.info.apple.com/MANUALS/1000/MA1645/en_US/airport_time_capsule_80211ac_setup.pdf
[25]: http://www.networkworld.com/article/2844283/microsoft-subnet/peeping-into-73-000-unsecured-security-cameras-thanks-to-default-passwords.html
[26]: https://appleid.apple.com/
[27]: http://support.apple.com/en-us/HT204152
[28]: https://www.dropbox.com/en/help/363
[29]: https://blog.evernote.com/blog/2013/05/30/evernotes-three-new-security-features/
[30]: https://www.facebook.com/note.php?note_id=10150172618258920
[31]: https://encrypted.google.com/landing/2step/
[32]: https://www.paypal.com/us/cgi-bin?cmd=xpt/Marketing_CommandDriven/securitycenter/PayPalSecurityKey-outside&bn_r=o
[33]: https://blog.twitter.com/2013/getting-started-with-login-verification
[34]: http://tidbits.com/article/15375
[35]: http://tidbits.com/article/15376
[36]: http://tidbits.com/article/15377
[37]: http://tidbits.com/article/15407
[38]: http://tidbits.com/article/15421
[39]: http://tidbits.com/article/15439
[40]: http://tidbits.com/article/15458
[41]: http://tidbits.com/article/15471
[42]: http://tidbits.com/article/15495
[43]: http://tidbits.com/article/15512
[44]: http://tidbits.com/article/15532
[45]: http://tidbits.com/article/15557