A cautionary tale about passwords – Medium Engineering


A post for engineers and the technically astute to share with less technical friends and family, brought to you by the Department of Technical Comfort & Security at Medium (previously known as IT).

One day, Rabbit frantically hopped over to his friend Fred.

Rabbit’s ears were sticking straight up in alarm, “Fred! I just got an email that there was suspicious activity on my RoughageAndMore.bun account! What do I do?”

Fred puffs up a bit and says, “It’s okay Rabbit, we can figure this out. Have you changed your password on RoughageAndMore.bun yet?”

“No! Should I do that now? My password is carrot1*. What should I change it to? How will I remember my new password if it’s not carrot1?”

Fred thinks for a moment, his beak twisting to the side, “Rabbit, are you using this password on all of your websites? Even your BunMail and HutchBank accounts?”

“Yes! But how will I remember RoughageAndMore.bun if it has a different password?”

“Rabbit, it’s a big risk to use the same password on all of your web accounts. HutchBank and other companies do what they can to prevent BadCharacters unauthorized attacks on their systems, but it’s possible that any website’s password database could be compromised.”

“Fred, that’s scary! What can I do?”

“I use a password vault, Rabbit. I use the password generator in the vault application to create a different complex password for every website. I only have to remember one password — the one to the password vault.”

“Fred that sounds amazing! Can it be that easy?”

“It’s pretty easy once you get used to using it. And even if it’s a couple more steps, I know that even if a BadCharacter breaks into the password database of one site, that they don’t have my password to all the others I use. Then when I get an email of suspicious activity on one account — like RoughageAndMore.bun, I just need to change the password on that account.”

“Fred, I’m so excited! Can you help me setup a password vault now?”

“I’d love to, Rabbit.” They waited while the application downloaded and installed on Rabbit’s Carrotosh computer.

“It’s installed! Now what?”

“Choose a complex password for the vault.”

“Can I use carrot1? It’s complex, right, since it has a number in it?”

Fred shook his head no, the feathers on the back of his neck ruffling slightly. “Rabbit, carrot1 is easy for an experienced BadCharacter to guess. It’s a dictionary word, it’s all lowercase, and it has a single number.” Fred was silent for a moment, looking up to the left. “I have an idea. What is your favorite song?”

Rabbit blushes, “All the single rabbits!”

“Great! Let’s use that as your password!”

“Passwords can have spaces?”

“Yes!”

“And this is hard to guess?”

“It’s much harder to guess than carrot1!”

A half hour later, Rabbit had changed his passwords on his most important sites with his credit card and bank information, and of course, RoughageAndMore.com. All of them were unique and 15 or more characters, including special characters, numbers, and upper and lower case letters.

“Rabbit, the hard part is done. Next, as you go to each website you visit, logon and then use the password generator to create a new, unique password. Your password vault will save the list for you.”

Next Fred showed Rabbit how to backup the password vault to the file backup service, FileBurrow.bun.

“Fred, thank you so much!” Rabbit relaxed his shoulders and sighed, his ears relaxing beside his head. “I wonder though …”

“What, Rabbit?”

“When will my delivery of cabbage arrive? I wanted to make that for dinner tonight.”



Source link