Just like any small business, the operation of your own household depends on reliable processes and access to technology. What would happen if your household suddenly lost access to critical services like bill pay, banking or investment websites, or maybe you lost your phone or laptop, or perhaps even lost you? Just like that small business, you and your family are vulnerable to any number of disasters small and large. It’s easy for us to visualize the hassle of losing stuff and forgetting passwords, but consider circumstances more tragic for the head of the household – how easy would it be for your family to reverse engineer access to your online life? Thankfully, we can take some lessons from our professional lives and apply them to our personal lives. Let’s build our own personal business continuity plan.
Let’s start with a core element of our plan – password management – and kill two birds with one stone. One of my infosec friends, Ben Miller (@securithid), espouses something called a “personal password management system”. Ben’s system puts some structure around the problem of selecting and remembering different kinds of passwords, so we’ll begin there, then I’m going to add some tool support to that process to enable the business continuity aspects of our plan. Here’s how the personal password management system works:
First, divide your online accounts into two categories:
- Critical accounts for your primary home email, primary LAN, and important commercial websites like banks and other financial services. At first blush, these accounts tend to have two defining characteristics that seem to be at odds with each other: they are frequently used accounts that need easy-to-remember passwords, but at the same time are also protecting critical assets so they need passwords that have a high degree of resistance to guessing or brute-forcing.
- Accounts for everything else. These are infrequently used accounts that are near throwaway in nature. Think online pizza ordering, ecommerce sites for chain stores, etc.
- Alright – so maybe there’s a third category – things you need to remember that are password-like. Mobile phone unlock PINs, Social Security numbers of your kids, your spouse’s first pet, etc., or really any other piece of data that needs to be secured and remembered at some point.
Here’s how our management plan handles these three categories:
Use Passphrases For Critical Passwords
Critical passwords need to be super easy to remember, because you use them all the time. But they also need to be highly resistant to brute-forcing, so they need to be pretty long (I prefer at least 20 characters). The password approach that meets both criteria is the “passphrase”.
A passphrase is a random sequence of words that is easy for the human brain to remember, has enough entropy to make it hard to guess, and is long enough to make it impractical to brute-force. Here are some examples:
- hand shells use trace
- canal minerals strong close
- test actually race dinner
A good layman’s explanation on how and why this works can be found here. To conform to the usual password complexity rules that we often run into, simply add spaces or other “special characters” between the words and throw in a capital letter and number.
Use Computer-Generated Passwords For All Other Accounts
For your pizza and other low-use passwords, take the lazy way out and use a password generator. Bookmark the generator in your browser or use a password safe generator to make it a no-excuse process. This will eliminate dumb passwords like “password”. Because you know you’ll never remember them, put them into a password safe so you won’t stress about not being able to remember them. Just make sure you make them long enough – at least 12 characters. That’s just long enough that the average criminal will suffer some pain trying to brute-force them. The 12 characters (or more) won’t be a bother to you, however, because you’ll be doing a copy-paste out of your password safe.
Use The Password Safe For Other Stuff
Well, since we’re already using a password safe, let’s park some other stuff in there. You can put SSNs, answers to security questions, and any other data that might be handy from time to time.
Choosing a Password Safe
Since it should now be apparent that a password safe is a critical part of our personal password strategy, let’s think about three important things:
- Choose a password safe that runs on your mobile phone. Reason – your phone is your most-used device, and you always have it with you.
- Make sure that you can export your password database into an encrypted file. Spoiler alert – this will be an important element of our personal business continuity plan!
- Finally, if this is important to you, choose a product that securely syncs across multiple devices (e.g., phone + laptop)
Now that we have our core element in place, let’s finish our personal business continuity plan.
In Case Of Emergency Break Glass
Our continuity plan will do the following:
- Provide a documented process for maintaining access to your online data after you’ve lost your phone or other critical devices
- Provide a documented process that other responsible parties can use to maintain access to your online data after the loss of you
Follow these steps:
- Make a backup of your password safe database. The backup should be an encrypted file. A decent password safe will provide this as an option for backups.
- Move a copy of the backup to a separate device like your laptop (assuming you originally generated it on your phone). Then put a second copy on a flash drive for storage in a secure physical location.
- On a physical sheet of paper, make three lists.
List #1 – the handful of important “gateway” passwords: the master password to your password safe, your personal email password, the password/PIN of your phone’s lock screen (you use that, right?), the unlock password to your personal laptop, etc. Note the progressive nature of our plan – you don’t need to write down all the passwords, just the one or two you need to reach the passwords.
List #2 – the list of any “two factor authentication” devices (2FA) that you use with your accounts. This list will include your phone (SMS, 2FA apps, etc.) and any other 2FA dongles like RSA tokens. These need to be listed so a trusted individual can access accounts that require the use of those. Pro Tip: for accounts that require 2FA, put the 2FA+password construction format into the account password field for that account in the password safe. That way you don’t forget how to do it. And please – use 2FA whenever possible!
List #3 – the list of accounts that you do online bill-pay for, but for which you do the bill pay manually and not automatically (i.e., make one-time payments each month). This will help trusted individuals reverse-engineer bills that need to be paid. Remember that bills setup on auto-pay have built-in business continuity – if you aren’t around to pay them, they will generally pay themselves. But if you don’t use auto-pay (hence a monthly one-time-pay), then payments may be missed.
- Now that you have your lists on a sheet of paper, make a photocopy of it for redundancy.
- Put one copy into an envelope and seal it. Write something like “in case of emergency” on it and put it in a location known to your spouse or other trusted individual.
- Put the second copy into an envelope and store it in an offsite location (e.g., safety deposit box). Reason – what if your house burns down, taking your devices and first envelope with it?
- Whenever anything on the list changes (like your email password), update the lists – don’t let them go stale! Because we are limiting the number of passwords to just a few, this shouldn’t happen often.
Now you’ve protected yourself and your family – if something happens to you or your stuff, you haven’t lost access to your online data. Your personal business can continue uninterrupted!
If you have an improvement to this system that you’d like to share, post a comment!