|Home Catalog FAQ||Log In|
Entrust Passwords to 1Password 4!
Save 20% and learn both password theory and practice when you buy with Take Control of 1Password for only $16!
Save 20% and learn both password and privacy essentials when you buy with Take Control of Your Online Privacy for $16!
Save 30% when you build your own bundle of three or more books, including Take Control of...
(30% discount overrides other coupons and is calculated on the first screen of our cart.)
Take Control of Your Passwords
Overcome password frustration with Joe Kissell's expert advice!
Improve your passwords without losing your cool, thanks to Joe Kissell’s expert advice. Start on the path to modern password security by watching Joe’s intro video and by checking out our “Joe of Tech” comic in the Contents & Intro tab below (scroll down!).
Read the book to understand the problems and apply a real-world strategy that includes choosing a password manager, auditing your existing passwords, and dealing with situations where automated tools can’t help.
Teach This Book! Once you're satisfied with your own password strategy, you may want to help friends or colleagues improve theirs. To that end, Take Control of Your Passwords includes links to a downloadable one-page PDF handout and to a PDF-based slide deck that you can show on any computer or mobile device screen.
“Awesome. You did an amazing job breaking it down. This should be mandatory reading.” —Rich Mogull, CEO at Securosis
This ebook helps you overcome frustrations that arise when attempting to design a strategy for dealing with the following password problems:
9-character passwords with upper- and lowercase letters, digits, and punctuation are NOT strong enough.
You CANNOT turn a so-so password into a great one by tacking a punctuation character and number on the end.
It is NOT safe to use the same password everywhere, even if it’s a great password.
A password is NOT immune to automated cracking because there’s a delay between login attempts.
Even if you’re an ordinary person without valuable data, your account may STILL be hacked, causing you problems.
You can NOT manually devise “random” passwords that will defeat potential attackers.
Just because a password doesn’t appear in a dictionary, that does NOT necessarily mean that it’s adequate.
It is NOT a smart idea to change your passwords every month.
Truthfully answering security questions like “What is your mother’s maiden name?” does NOT keep your data more secure.
Adding a character to a 10-character password does NOT make it 10 percent stronger.
Easy-to-remember passwords like “correct horse battery staple” will NOT solve all your password problems.
All password managers are NOT pretty much the same.
Your passwords will NOT be safest if you never write them down and keep them only in your head.
“Joe handles a confusing and scary subject more clearly and calmly than I would have thought possible. I’ll be recommending this book to just about everybody I know.” —William Porter, database developer, author, photographer
iPad & Kindle
About the Author
Joe Kissell has written numerous books about the Macintosh, including many popular Take Control ebooks. He's also Senior Editor of TidBITS and a Senior Contributor to Macworld, and previously spent ten years in the Mac software industry.
Table of Contents
Read Me First
Passwords are an irritating fact of modern life. It’s tricky to create and remember good ones, but dangerous to use simple ones (or reuse a password in multiple places). This book helps you overcome these problems with a sensible, stress-free strategy for password security. It was written by Joe Kissell, edited by Kelly Turner, and published by TidBITS Publishing Inc.
Think of a card, any card. Now, keep that card in mind and think of another. Repeat until you’ve picked twelve cards—but make sure your selection includes all four suits, at least one ace and one face card, and no two instances of the same card. Remember the whole set, because I’m going to ask you again tomorrow…
I’m joking, of course. But have you ever noticed that when magicians pull someone out of an audience to help with a trick, they never make such complicated requests? It’s not reasonable to ask someone to create a meaningless string of numbers and letters, remember it indefinitely, and produce it on demand.
But Web sites, banks, and network administrators make exactly that request of us almost daily. Want to buy something online? Sure, but you need more than a credit card—you need a password too. Sync this data with the cloud, sign up for that free service, manage your utilities or PTA schedule online…no problem, but you must have a password for that. “Make sure it’s between 10 and 14 characters, contains upper- and lowercase letters, at least one digit, at least one punctuation character, and doesn’t have any repeated strings. Oh yeah, and don’t even think about using a word that might be found in a dictionary or reusing a password you used anywhere else.”
Are you kidding me? This is madness. Coming up with unique, random passwords all the time, remembering them, and producing them reliably is not the sort of task the human brain is cut out for.
Faced with this difficult and increasingly absurd task, people naturally tend to look for shortcuts their brains can handle. They pick easy passwords, like their kids’ names or patterns of keys on the keyboard. Even if they go to the effort of creating something more complex, they use the same password everywhere, because then they have only one thing to remember instead of hundreds.
Speaking as a fellow human being, I don’t blame anyone for taking the easy way out. You might try to come up with clever, random-looking passwords the first few times, but once your list of password-protected accounts grows into the dozens, and then the hundreds, it’s not plausible to keep following the rules.
However, speaking as a technologist who has spent lots of time researching and thinking about security, I’m terrified for people who do this. I know how easy it is to guess, crack, or otherwise uncover someone’s passwords, because I’ve done it myself. And people with far greater skills and resources than mine spend all day, every day doing the same thing—not for legitimate security research but to steal money and secrets, to cause mischief, or to show off.
Every couple of months I read about another high-profile case in which millions of passwords are leaked, hacked, or stolen. And then I take a look at that list of now-public passwords and shake my head when I see that thousands of folks thought
password was a pretty good password! I understand why they did it—they were only trying to manage an unmanageable problem—but I feel sorry for them, as their problems didn’t end with the site that was hacked. Because these people invariably use the same password on lots of sites, many of them had money and identities stolen, private email messages read, or hate mail sent in their name. It’s a big, scary deal.
Back in 2006, I wrote Take Control of Passwords in Mac OS X. In that book, I attempted to explain all the ways passwords are used on a Mac and give advice about the best ways to manage them. I offered the best guidance I could at the time, based on the available facts. But when I look back at that book now, I get an uneasy feeling because anyone who took my advice then might now be living with a false sense of security. The tools for guessing passwords and breaking encryption have taken massive leaps forward in recent years, with no signs of slowing down. What was safe then may be ridiculously insecure today.
On the bright side, the apps and techniques available to us good guys have improved too. While I can’t solve all the world’s password problems, with a combination of technology and common sense, I can probably help you solve about 98 percent of your password problems.
My goal in this book is to lay out a simple strategy that will keep you as secure as possible with a minimum of effort. Sometimes, I admit, there’s a trade-off between security and convenience. You have to choose which is more upsetting: adding another lock to your door or risking a break-in because the neighborhood’s gotten worse. But you might be surprised to discover that in many cases, you can significantly increase your security without extra effort. Remember how I said that generating and remembering random passwords is not something the human brain is good at? That’s true, but I’ll bet nearly every human reading this book has a computer as well as a smartphone or tablet, and those devices are fantastic at generating and remembering passwords—if you use the right apps, in the right ways, at the right times. (And yes, I’ll also talk about the situations in which your gadgets can’t help you. Don’t worry; those problems have solutions too.)
If all this talk of hacking and identity theft sounds scary, I’m sorry. I don’t mean to frighten you. Much. But I do want you to have a clear understanding of the threats out there so you’re motivated to adopt better password practices. It won’t take long, it won’t cost much, and it won’t be difficult. Once you’ve done it, you can go back to not being scared, just like me. In fact, that’s the whole point of my recommendations—I want you to be relaxed and confident, knowing that your passwords are solid and that you have an easy, reliable way to create and enter passwords whenever they’re needed.
This book is no rehash of Take Control of Passwords in Mac OS X, although I’ve borrowed a few sections that are still useful. Instead, I’m looking at the problem of passwords in a broad, platform-agnostic way. Whether you use a Mac or a PC, an iOS or an Android device, something else entirely, or—more likely—a combination, you’ll find guidance to help you take control of your passwords. By the end of this book, I hope you’ll thoroughly understand the vulnerabilities and threats associated with passwords, ways to minimize your risks, and how to use passwords safely without losing your sanity. No one can give you an ironclad promise of perfect, unbreakable security, but with the advice in this book, I can get you pretty darn close.
To get the most out of this book, I strongly suggest reading it in linear order because each chapter builds on the material that comes before it. Whatever else you do, don’t skip Apply Joe’s Password Strategy, because using just a piece of my strategy (such as a password manager app) may solve only part of the problem while making others worse!
Find out what’s wrong with passwords and the ways most people use them; see Understand the Problems with Passwords.
Discover what makes a good password and why that’s not all you have to worry about; see Learn about Password Security.
Learn my three-point password strategy—and what to do in situations that don’t fit into it; see Apply Joe’s Password Strategy.
Arm yourself with a good cross-platform app for creating, remembering, and entering random passwords; see Choose a Password Manager.
Make sure your passwords don’t fall into the wrong hands while remaining available when needed; see Keep Your Passwords Secure.
Clean up all those awful passwords you created before you saw the light; see Audit Your Passwords.
Deal with systems that use a password in combination with another authentication method (such as a secure token or SMS verification); see Appendix A: Use Two-factor Authentication.
Get advice for improving password security for someone who’s unwilling or unable to follow my regular strategy; see Appendix B: Help Your Uncle with His Passwords.
Give a talk about password security; see Teach This Book.
Version 1.2 of this book is a minor revision to keep the book up to date with the latest password developments and operating systems, and correct a few errors. The most significant changes are these:
Corrected and expanded my explanation of password cracking times in Threat #3: Brute-force Attacks
Added a note about an article explaining how experienced password crackers operate in All about Entropy
Mentioned Diceware as a technique for creating passwords you must memorize; see Create Strong but Memorable Passwords
Clarified the need for encryption of some sort for email logins in Manage Email Options
Added coverage of Dashlane and iCloud Keychain to the discussion of password managers, and removed mSecure
Updated minor facts about Keeper, SplashID Safe, and myIDkey
Mentioned the importance of changing your Wi-Fi router’s administrative password in Use Wi-Fi Encryption
Added a tip about Authy in Use Google’s Two-step Verification
Version 1.1 is a fairly minor update intended mainly to address questions prompted by the book’s initial release and to add extra detail in a few key areas. The major changes are these:
There are lots of great ways to read our ebooks on these devices. For more details, please read our latest Device Advice.
Feel free to ask us if you have a question about this title!
How could we not publish such kind words? If you'd like to send us your comments (good or bad, though we hope they're all good), just click the Feedback link on the cover of your copy of the ebook. Be sure to let us know if we can publish your comment. Thanks!
"I've purchased several of [Joe's] books and found them more than helpful... you have kept me from committing technocide and offing my computers and iPhone. I am going to purchase more of your books as soon as I'm finished with this email." —Michael Israel, performance artist
"I've been reading your Take Control books for years, and this book is the best yet. Just the right amount of knowledge to inspire action. The way most people do this stuff is frightening. I, for one, am going to move my personal stuff to your new system." —Matt C.
"The author provides many useful tips to assist developing passwords and password management strategies. Do you know what a VIP list is relative to password security? I didn’t, but I do now, and I’m using it! — David M. Acklam, MyMac review
April 15, 2015 -- We plan to release a very minor update to this ebook in late April or early May. The update will include a few new sidebars and have a few of its product descriptions updated, but you shouldn't worry about reading this ebook before the update is available, since the changes are fairly incidental. The update will be free to everyone who already owns the ebook.
April 15, 2014 --
For anyone who is wondering, neither the Take Control Web site nor the eSellerate ecommerce site that we use for purchases were ever vulnerable to the Heartbleed bug, so you don't need to worry about the security of your Take Control transactions or account information. There's no reason to change your Take Control password either, although it's always a good idea to do that if your current password is weak (under 13 characters, uses dictionary words, relies on any pattern, etc.).
April 12, 2014 --
The startling and disheartening news about the recently discovered Heartbleed Internet security vulnerability no doubt has you wondering, “What should I do? What can I do to protect myself and my data?” The answer is, “Change your passwords for the affected sites. But not necessarily immediately, and not all at once.” Why not immediately? Because the vulnerability affects a wide range of servers across the entire Internet, and not all of those affected servers have been patched—changing your password on an unpatched server simply means that your new password may be purloined just as easily as your old one. Instead, you should avoid logging in to unpatched sites and servers until they are patched, and change your password at that point. The TidBITS article The Normal Person’s Guide to the Heartbleed Vulnerability provides several links to help you figure out which servers are vulnerable and which have been patched, and provides guidance about what you should do to protect yourself and when you should do it.
Eventually, of course, you will have a bunch of passwords to change.
If you use password-management software, such as LastPass or 1Password, that software can help you with that unwelcome but essential task. (AgileBits, the developer of 1Password, has posted an Updating Your Site’s Password guide to help you with your labors.) Browse safely, my friends.
—Michael E. Cohen
February 28, 2013 --
Chuck Joiner and cartoon superhero Joe Kissell discuss Joe's new book and the advice it offers for corralling the wild herds of passwords you've probably acquired over the years. Plus, you get to view Joe's new stateside center of operations and its advanced technology (much of it cleverly disguised as shipping boxes). See the video here or listen to the audio here.
—Michael E. Cohen
February 27, 2013 --
If you are using an older version of Mac OS X, such as 10.6 Snow Leopard, here is useful and still applicable information about using the Keychain, Mac OS X's system-wide password manager, taken from Joe's earlier Take Control of Passwords in Mac OS X, Second Edition.
—Michael E. Cohen
Visit our catalog to see all the other books we publish!
Teach classes? Check out our discounted class copy pricing!