HOME  → POSTS  → 2013

Breaking my bad password habits with 1Password, Authy, OAuth and OpenID

Privacy and Security1278 words6 minutes to read

I learned at a relatively young age what makes a good password versus a bad password, and I’ve tried to always use these qualities in the passwords that I choose.

The Problem

Unfortunately, even with the best intentions, you inevitably end up re-using one or a few passwords across every single website you log into. Some people do things as dumb as using the name of their significant other. Or their pet. Or a birthdate. Or something else equally guessable by one of the many supercomputers that exist (whereby “supercomputer”, I mean pretty much any computer invented in the past 5–7 years).

My approach was this: Whenever a website would auto-generate a random password for me, instead of changing it to something I could remember, I simply memorized it. They were usually a blend of 8 alphanumeric and/or symbol characters. Nothing too wild, but after a while, I established some muscle memory around typing them and began to rely on them. This is a better approach than most people use, but it’s still a terrible practice. Over time, I began appending special characters here, or prepending them there. Sometimes I would stick a dollar sign or two somewhere in the middle to mix things up.

Enter 1Password

Then in 2008, I discovered a piece of software called 1Password. Initially I balked at the price. “You want me to pay for software?!” Clearly I was still in a Windows-user’s state of mind when it came to things like that. But I sucked it up, bought a license, and started using it regularly.

It is the single best investment I’ve ever made. Software-wise, anyway.

OpenID and OAuth

Around the same time as when I discovered 1Password, I also learned about something called OpenID. The approach that OpenID takes is known as Federated Identity. It’s essentially a system where two people don’t know or trust each other, but they both trust a third person, and that third person vouches for each of the first two. Eric and Jeff don’t know each other, but they both know me. I vouch for Jeff with Eric saying that he’s a cool dude, and vice-versa. Make sense?

It allowed me to trust a company of my choosing to vouch for me, whenever I came to log into sites which supported OpenID. If something happened and I didn’t trust that middle company any more, I could simply change the company/service which vouched for me. In that way, I only had to remember the username and password for that one company that was vouching for me, instead of having to create all-new accounts for every service I signed-up for.

But there were some quirks that made OpenID a bit harder to understand for normal folks, so the great minds of the Internet got together and bore a different system known as OAuth. You know all of those sites you visit that have a big blue button that says “Login with Facebook”? That’s OAuth in action.

OAuth works a bit differently behind the scenes. You say, “I want to sign up for your site”. The website says, “Either give me your information so I can register you, or you can authorize me to get your information from someone else who already has it.” And you respond with, “Sure. Facebook has it.” You then click the blue button, tell Facebook that you authorize the new site to pull your information, and away you go. Between the two approaches, OAuth is used about a zillion times more often than OpenID is.

I would recommend using OpenID or OAuth for handling your login information if at all possible because it reduces the number of passwords you need to keep track of.

Sony’s Playstation Network got hacked

Remember when this happened? Where Sony was storing passwords in m********king plain text?! (To paraphrase Shepherd Book from Firefly/Serenity, there is a special place in Hell for people who rape, murder, talk during movies, and store passwords in plain text.)

In short, one of my hard-to-guess-but-used-in-lots-of-places passwords was one of the ones that was obtained by hackers. As such, I had the fine work ahead of me to change the password for every single site that used the password that got hacked.

1Password to the rescue! It took me about 90 minutes, but I was able to lookup all of the sites where this password was being used, and change the password for all of them. This event ended up making me re-think how I managed my passwords.

Authy and 2-Factor Authentication

Over the past couple of years, I’ve started to see more and more websites begin leveraging something called 2-Factor Authentication (or, Multi-Factor Authentication). This is where besides having the username and password (i.e., the first “factor”), you also need a code from a key fob or something else that you have with you at all times (i.e., the second “factor”). This way, even if somebody figured out your username and password, they still wouldn’t be able to get into your account unless they also had either a key fob with a code, or more commonly, your cell phone.

Besides having a key fob for logging into my company’s VPN remotely, I’d never heard of 2-Factor Authentication until Amazon Web Services announced it as a new feature of their Identity and Access Management (IAM) service. The Google added support for it. Then Facebook added support. Then a few more services added support. Most of them leveraged an app that ran on modern smartphones called Google Authenticator which would generate a code that you could type in after your username and password.

When ADN added support for it was when I learned about Authy. Besides looking and working WAY better than Google Authenticator, it supported lots of different accounts. The switch was a no-brainer.

Sites that I’m currently aware of that support 2-Factor Authentication are:

  • ADN (aka, App.net)
  • Apple (account management, only)
  • Amazon Web Services (AWS)
  • Dreamhost
  • Dropbox
  • Evernote (Premium accounts)
  • Facebook
  • GoDaddy
  • Google
  • Microsoft (including Hotmail & Xbox)
  • Paypal
  • Stripe.com
  • WordPress.com (including Gravatar)
  • and more!

You can even install the Authy plugin in your self-hosted WordPress installation to enable extra security for your blog. I would absolutely recommend enabling 2-Factor Authentication (using Authy, of course) for every single service you use that supports it.

Changing every password

2 days ago, I decided to bite the bullet and put in the work to change every single password I had stored in 1Password (around 250). Using their built-in password generator, I created a brand-new, completely randomized password, using a mix of upper/lower-case letters, numbers and symbols. These new passwords are all 24–30 characters long, except for services that required shorter ones, or only allowed alphanumeric characters.

I have absolutely no idea what any of my passwords are. But I’m relying on 1Password to manage them for me, and to sync them to the copies of 1Password I have installed on my iPhone and iPads.

Couple long, randomly-generated passwords, with 2-Factor Authentication, and I’m never worried about getting hacked. If Sony gets their servers hacked again and that password gets stolen, no worries. I’ll just create a new randomly-generated password for it and keep right on going.

End

Yes this was several hours of work, but I believe was well-worth it. If you can swing it, I would confidently — even exuberantly — recommend 1Password to anyone just getting started with making their online life more secure. Definitely take a look at Authy as well, and start leveraging OpenID and OAuth logins on every site that supports them. You’ll be better off for it.

Update

See my follow-up post: “Things I learned about how websites manage passwords”.

Ryan Parman

is an engineering manager with over 20 years of experience across software development, site reliability engineering, and security. He is the creator of SimplePie and AWS SDK for PHP, patented multifactor-authentication-as-a-service at WePay, defined much of the CI/CD and SRE disciplines at McGraw-Hill Education, and came up with the idea of “serverless, event-driven, responsive functions in the cloud” while at Amazon Web Services in 2010. Ryan's aptly-named blog, , is where he writes about ideas longer than . Ambivert. Curious. Not a coffee drinker.