I'm trying to update and secure (and organize) my user accounts, and one thing that's been in the techy media recently is the danger of "daisy chaining".

Daisy chaining is when you have one account that is tied to all your other accounts, so that if someone stole that account they could use it to easily gain access to everything else.

For example, an Apple ID that is the password-resetting email for your Gmail account which was used to register for Twitter and everything else.

All that has to be done is getting hold of the Apple ID, and a malicious person can remotely wipe out your computers.

And as that link shows, that can be done by human error (social engineering 'hacks') on the part of Apple or Amazon, despite your own security precautions.

I use two-step authentication where supported, but I'm trying to think of how to "wall off" my accounts from each other so one failure doesn't bring the whole tower crashing down.

What are your thoughts about account security online?

I do this:

-The longest password I have is the one I use for my primary email. That's because almost every site has a 'send me a new password' feature.

-Each site has a different password. (all my passwords are sort of similar, but contain an additional word related to that site. So maybe '1#PasswordFaceBookSux'

-I don't 'login with facebook' or otherwise link my accounts together.

-I don't use a password manager.

-I don't 'login with facebook' or otherwise link my accounts together.

Is there danger in that? I don't use Facebook, but I use Google. Since most accounts are registered with a gmail address, is there any greater risk (than already exists) to using "Log in with Google"?

I do this: for every (website, username) combination that I use e.g. (www.gamedev.net, Bacterius) where the username can of course be an email - any public login credentials, really - and then derive a strong, unique password from this combination along with a strong master password that only I know (and that I only use for this). That way the passwords for all of my accounts are completely unrelated, and compromising one cannot possibly compromise the others (and can then be replaced as needed). There is the usual downside, if the master password is compromised then you lose everything, but that is kind of a "worst case scenario" situation that most techniques cannot survive, e.g. your Truecrypt key is compromised, so it's not really any worse than the alternatives overall. And of course a cool thing is that it does not actually store the passwords anywhere, but recalculates them as needed, and if you are really paranoid it is possible to go 100% stateless if you accept a few things such as lack of password checking and have a good memory.

At the moment I have my own custom tool to do that but as it admittedly is somewhat awkward to use outside of a home setting, I've been thinking of implementing it as a plugin (with a more general-purpose interface than website/username) in a popular password database software, where you would also get browser integration for free. But I haven't gotten around to that yet. Oh and of course you don't *have* to recalculate the passwords every single time, if you have good memory you can actually end up remembering those that you use most often (if you generate them in a suitable format, e.g. a "four words" kind of thing which is not impossible to remember).

I still have a few throwaway passwords that I use on random forums and the like, of course. And that scheme doesn't handle cases where the password is chosen for you and cannot be changed, but those are pretty rare anyway, haven't come across one yet.

Of course this is just a band-aid until the internet actually moves on to a better infrastructure than passwords to provide authentication, but it does its job well.

But the problem is that unique passwords can just be reset by an attacker: "Forgot your password? Click here"

All they need is your email account, and they can get your email account by social-engineering the company running it.

One weak point, depending on human error (and not your own error, mind you), and they get access to it all.

How do you protect from that, plan for recovery if it happens, and mitigate the damage?

But the problem is that unique passwords can just be reset by an attacker: "Forgot your password? Click here"
All they need is your email account, and they can get your email account by social-engineering the company running it.

One weak point, depending on human error (and not your own error, mind you), and they get access to it all.
How do you protect from that, plan for recovery if it happens, and mitigate the damage?

Well you can't protect from that if you only use passwords for authentication. If the attacker has access to your email account, which is what almost all password recovery schemes depend on, you're screwed, since those schemes make the implicit assumption that your email account is secure. I guess you could run your own mail server, but even then mail is not encrypted, so a sufficiently determined attacker will still get the new passwords if he wants to. At that point all you've got left is safety in numbers and not being a target. The "right solution" would be, as I said, a better internet-wide infrastructure for managing passwords or other credentials that does not rely on an insecure channel such as email to reset passwords. But email is one of the few technologies that:

a) has existed for decades

b) is near ubiquitous

c) just works

Which makes it an ideal medium for centralizing various critical management tasks on behalf on the user.

As for recovery and mitigation, again, it partly depends on what the website in question has in place to handle this. For instance, in the case of banks, if you get your account compromised, there are - ideally - tons of heuristics that will put your account on lockdown if suspicious activity is detected, which can only be resolved by a phone call or other difficult-to-impersonate procedures. But a random website is likely not to care at all, after all, how do they know you did get your account compromised and aren't just someone up to no good? Unless they have some way to verify your own identity, you could be the attacker for all they know. Security questions tried to do this, but it doesn't work.

And, of course, yourself taking quick action can always help, rather than letting the attacker roam free with your account and doing as much damage as possible. For instance, sending a PM to a moderator to get him to temporarily ban your account until the situation can be resolved, etc... there is no one mitigation approach that will work for everything, ultimately you need to convince the website that your account really was compromised and that you have regained control somehow.

But the bottom line is, if you only use a password, the attacker can reset your passwords, and can also read the new passwords, you've simply lost. There is no security at all to be had in that situation. Your account is his in every way that matters to the website.

FORTUNATELY, we know that passwords and in general "what I know" challenges are not the only way to authenticate yourself to a website or other party. There are two others: "what I am", and "what I have [physically]". The first option falls into the category of biometric signatures, which obviously don't work too well over the internet, so these are usually used when physical access is already implied, and where high security is required. The second one is more promising, since it's about things like credit cards, security tokens, actual keys, which are hard to replicate, hard to steal, and relatively easy to track.

Websites which implement a login procedure requiring both a password ("what I know") and a challenge based on "what I have" are said to support two-factor authentication. For instance, websites might have a little smartphone app that requires a one-time secure setup (which presumably the attacker is not around to snoop on of) and then outputs short PIN's in sync with the website itself (with no shared state) which means an attacker cannot login with just the password, but also needs the valid PIN at that moment in time. Which means that to log in, he must acquire physical access to either the website's servers (at which point he has everything either way) or yourself, making it more secure than a traditional password-based system.

Two-factor authentication is becoming more common, but is not really standardized, so it's kinda hard to make it work properly without inconveniencing (or straight up alienating) users. But I think it will become better in the future, and that it is the future either way. Information-based security is not sufficient in the face of side channel attacks such as social engineering, at that point you really need another layer of security (be it two-factor authentication or something else). We're not quite at this stage yet, but the entire security infrastructure of the internet is in a rather precarious position currently, and it doesn't take much to completely subvert it given the opportunity (as you've noticed).

To conclude, though, never forget that we are imperfect humans living in an imperfect world, and that complete security is a myth. It all boils down to how secure you need to be relative to how much you are willing to pay or do to to achieve that goal. In other words, how valuable you are.

Thank you for that writeup, Bacterius. Would +1 if we weren't in the lounge.

You could set up your own mail server that handles password resets to avoid the social engineering vector. The difficulty with running your own server out of your house is in *sending* mail, so you could just use normal e-mail accounts for actual communication.

There's a thought! But people lose control of their domain names all the time, forgetting to re-up or whatever else.

If I did it without a domain name (signups@173.194.46.36), then that'd be really difficult, because IP addresses (even static ones) aren't a guarantee.

I do use two-factor authentication with cell phones. Though I need to keep track of what sites I use it with, come to think, incase my cellphone number changes.

In the article I posted above, part of the social hacking involved using the last four digits of the individuals credit card as a proof of identity, so it seems one important precaution (in retrospect, this should be common-sense but I hadn't thought it through before) would be to separate your online social accounts from your online shopping accounts. Your shopping accounts would also include your GoDaddy (or whatever) domain name purchasing and webhosting accounts, rather than connecting your Amazon accounts and your Twitter by a common email.