TheJoyOfHack

For people who like to make things

This is a guest article I wrote for the newsletter of a friend of mine who’s an Estate Planner.

Almost every digital or monetary asset you own is protected by a password. Some service providers, like investment brokers require multiple pieces of information, like your social security number, account number, date of birth, etc. These are all things that a provider assumes only you know. Once these secrets are known to others your asset is compromised. So in order to keep these secrets safe, you need to do two things: prevent others from being able to view these secrets, and prevent others from being able to guess them.

This is why security experts insist that people use strong passwords. A strong password is one that is at least 16 characters long. A password that’s only one word long can be guessed by a computer in less than a second, even if certain characters are substituted with others (like ‘3’ for ‘e’). It is a good idea to use a passphrase wherever possible. A passphrase is 2 or more words. These are a lot more secure than single words. For example, the password ‘p455w0rd’ can be guessed by a computer in about a minute. But that same computer would need 5 million years to guess the passphrase ‘secure password.’

It is also important that you never use the same password to protect more than one account. Let’s say your grocery store’s password database gets stolen. That, in itself, is not a problem if the grocery store stores the password securely (more on this in a bit), and if your password is difficult to guess. If one of these two conditions are not met, than it’s only a matter of seconds before your password is known to the ‘bad guys.’ And once that password is known, the thieves can try to use that password with other providers, like your bank, or your mutual fund brokerage. So that’s why it’s important to never reuse passwords: even if your service provider fails you, your other accounts are not at risk.

What does it mean to store a password securely? Many (but sadly not all) service providers store passwords in a special way called ‘hashed.’ This means that the service provider can’t read your password; they can only verify that you entered it correctly. That’s why when you use the ‘Forgot Password’ link with these providers, they don’t email you your password - they email you a link to change it. This is a good thing. It means that a rogue employee at the service provider can’t read your password and use it illicitly.

Now, if you use different passwords for every account, it’s easy to end up with hundreds of different passwords. I have 908 as of today. It’s impossible to remember 908 random passphrases. So this is why it’s a good idea to use a password manager. A password manager saves all your passwords securely and protects them with one master passphrase. That way you only have to remember that one master passphrase. You can store all sorts of information: passwords, passport numbers, social security numbers, text files, PDFs, etc. There are many good password managers out there, like 1Password, Data Vault, LastPass, and Dashlane. My recommendation would be 1Password, because I trust the company that makes them the most. Most web browsers also offer similar functionality. However, I prefer not using them because they don’t have a master passphrase, and instead rely on your computer’s password.

Online asset providers like banks often ask you for secret identifying information in addition to your password. These are things like “Mother’s maiden name,” or “The color of your first car.” This is so that if you call customer support, or click on the ‘Forgot Password’ link, they can ask you for this information to verify your identity. This has two consequences: First, in order for the employee or website to verify your information, it cannot be stored hashed. It is stored in ‘cleartext.’ That’s a fancy way of saying that an employee of the service provider (or someone who steals their database) can read this private information. Second, if these secrets aren’t really secret (maybe your mother still uses her maiden name), people can easily pretend to be you because they know the answers. They can convince an unsuspecting employee of the service provider that they are you, and can have your password changed, effectively stealing your account and your identity.

This is why I advise you to never use accurate information as answers to security questions. Make something up, and save those answers along with the questions in your password manager. For example, my bank may think that my mother’s maiden name is ‘su3lskq,’ or that my hairdresser’s name is ‘Serverus Snape.’ This is a very simple thing to do, but it improves your security greatly. Best of all, you don’t have to remember all this information: just save it in your password manager and copy and paste when required.

Once you use a password manager in this way, the key to all of the information in there is the master passphrase. You can manage this master passphrase like any other critical document. Even though you should normally never write down your master passphrase anywhere, I would recommend you write it down once and place it somewhere secure that can only be read in the event of your death or disability: a safety-deposit box, or with your attorney. That way, if there is information there that can help your survivors manage your estate, your Digital Executor or Trustee can provide them with all of the information they need, in a timely manner. Speak to an Estate Planner. They will help you set all of this up.

Following these simple tips you will be able to manage passwords effectively in your daily life, and also make it easy to pass relevant information to your survivors when you die. Remember:

  • Use a password manager
  • Use long passphrases
  • Never reuse passwords
  • Use random text for the answers to security questions
  • Use a long, difficult-to-guess master passphrase that you never write down anywhere except once, to be used only in the event of your death.