There it is, folks. My everything-password from my school days.
My favorite superhero was always Daredevil when I was a kid. The idea of 360-degree awareness is enticing, isn’t it? It’s probably fitting that I found myself in field that encourages some healthy paranoia.
Naturally I figured it’d be a pretty badass thing to make my password on every account I opened. This was the early ’00s, I was starting to embrace a now-embarrassing level of angst, and there were never too many places to post my super-deep thoughts. Digging them all back up over the years to deactivate them has been an incredible undertaking.
I feel secure in releasing this data to the public because it’s not actually my middle school “universe” password. I did have one though, and it was equally bad. There’s no way I could dig up every account I ever made for every website fifteen years ago. Odds are, that terrible password is still floating around the web somewhere. It’s probably attached to an account from three usernames ago on a website I haven’t logged into since two days after I started it.
But, statistically speaking, yours is out there too.
As I found myself growing more tech-savvy through the remainder of my school years, I started understanding the value of a stronger password. I said goodbye to the dictionary word everyone knew I was obsessed with and hello to a different dictionary word only a few people knew I was obsessed with. Then in college I started tacking on a fairly predictable string of numerals. Sure, it was starting to be mathematically secure, and back then it would have taken years to crack a hash of it; but a determined adversary with a custom-built wordlist of my personal history and interests wouldn’t have had a lot of trouble.
Years passed, I started working in technical roles, and I ended up adopting actually-secure passwords. Fast-forward to today and I’m in the process of adopting Troy Hunt’s policy: the only secure password is the one you don’t remember. Even so, despite my best efforts to remember, access, and deactivate all of my old accounts on the Internet, it’s almost certain that my insecure old passwords are out there somewhere.
“So what?” you ask yourself, “I haven’t used my goth-phase Xanga account in years. If somebody really wants it that bad they can have it.”
It comes down to the fact that your old accounts may still contain a goldmine of data that could be used against you.
Password resets are a touchy subject. Not to bring up Troy Hunt twice in one post (he’s a crazy good resource on the subject of authentication security) but his article on password resets is great. He discusses the issues caused by weak recovery questions at length, but I’ll sum it up this way:
Does your mother list her maiden name on Facebook?
How far back would someone need to go in your Instagram feed to find your high school mascot?
How many of your social media profiles have a “Hometown” section?
Swap around the data sources as much as you like, it doesn’t matter. In a fair majority of cases, these common password reset questions are going to be your weakest link when it comes to account security. Simply too much of this data is readily accessible via OSINT.
However, even more personally-identifiable information can be revealed from an intrusion on a years-abandoned account. Private messages, unpublished drafts, and even your account’s chosen password reset challenges could all be repurposed and leveraged in subsequent attacks.
With an armful of your harvested data, your attacker is now better-equipped to start taking on more of your accounts. It’s not unlikely that they’ll target these accounts fairly chronologically. Think of it like archaeology’s Law of Superposition. Your older accounts were from a more “primitive” era in your technical development. Armed with a little more data, your attacker can start digging up towards the surface, breaking one account at a time, harvesting more information every step of the way.
Is This Actually Happening?
At this point in the discussion I’d like to pump the brakes a little. I’m not suggesting that targeted, active identity theft via MySpace accounts is (or will be) an epidemic. The majority of bad actors follow the “lowest hanging fruit” doctrine, and generally aren’t concerned with any one particular victim. The hours and hours of research and dictionary building alone would be far outside the scope of their attacks.
However, persistent attackers are very capable of accomplishing this. Whether you consider yourself a possible target of an adversary of this caliber is up to you, but I think it’s important to remain conscious of these potential attack surfaces regardless.
The architects of medieval castles lived by this doctrine. They didn’t just build the outer wall and call it done, they assumed that line would eventually fall. They implemented (among other things) the murder-hole, through which defenders could pour boiling water on invaders who breached the gate. I only wish I could install a murder-hole on my webservers.
What I’m getting at is the importance of having multiple strong layers to the security of your data. This means going back and securing your old accounts as thoroughly as you can manage — either by updating the passwords or deactivating the accounts.
If you’re like me, you’ll still have to acknowledge that finding every single account is an impossibility. Still, cleaning up the ones you can manage to will go a long way, even just in breaking up your web presence “timeline”. It’s about putting in the best reasonable effort.
What Makes a Good Password?
All of this theory is meaningless if it’s not backed by strong security of your active web presence, starting with your current passwords.
I currently only know two of my passwords: my local device credentials, and the key to my password vault. Even those are technically passphrases, not passwords. Every password outside of these is randomly generated by my password manager and I couldn’t begin to recall what they might be.
With cloud-based password storage services like LastPass getting compromised regularly, I highly recommend using locally-stored password vaults with managers like KeePassXC. The open-source .kdbx database format is widely cross-compatible, so you shouldn’t have any trouble synchronizing between devices and accessing your passwords from anywhere.
There are more than a few of you who are going to read this and find reasons to hand-wave my advice. You’re too boring for anyone to target. You’re not “techy” enough to figure out a password manager. It’s not worth the effort.
While I can assure you that none of those statements are accurate, I’m willing to meet you in the middle if you promise to keep a few key things in mind:
- Please, if you take away nothing else from this writing, don’t use the same password everywhere. This is the difference between “My account on this old dating site got hacked” and “My account on this old dating site got hacked, then they got into my bank account.” I mean it. Stop.
- Don’t put the mandatory special character at the end of your password. If a website forces users to use a special character, the users will universally tack an exclamation mark to the end of their usual password. While arbitrary password strength requirements aren’t much of a security improvement (last Troy Hunt article, I promise), you should at least do yourself a favor and not employ the most obvious implementation of the policy.
- Make sure none of your passwords appear in the most commonly used wordlists.
If it’s starting to sound like it’s impossible to keep track of a different unpredictable password for every account you own, good. That’s because it is. Look into a password manager and use it properly. It’s not the kind of thing you want to regret not doing.