My company is in the process of performing a full technology asset inventory. On Thursday morning, about a half an hour into the day, one of the poor souls employed with scanning barcodes on thousands of computers came by my desk asking to look at my technology. HP, in all of their engineering prowess, decided to hide away the tag underneath the battery on their EliteBook line. One can only imagine the perturbed looks this guy received from each software engineer in my office who had to close gracefully many running applications to perform the first shutdown of their machine in a long time.
When he was finished scanning the barcode, I began the process of booting and picking up where I left off. As someone who is somewhat security minded, this is no short process. At a bare minimum, it goes something like this:
- Log into Windows using a unique password.
- Log into Authy using a unique password.
- Log into LastPass using a unique password and a one-time code from Authy.
- Copy 100-character unique passwords from LastPass (which requires a re-prompt of my LastPass master password each time) to log into two different source code repositories.
- Copy 100-character unique passwords from LastPass into two separate bug tracking applications.
All this is before launching one or more IDEs, monitoring tools, build tools, etc. depending on the project for the day.
Proper security almost always comes at the expense of convenience. Hopefully that tradeoff will become less taxing as technology improves, but for now, that is the cost of computing securely.
The upside, though, is the ability to leverage inconvenience for productivity. For every single work-related authentication process, ten authentications to time-wasters hinder distraction. When muscle-memory urges me to press “CTRL”+“T” and allow my browser to autocomplete “feedly.com,” I am faced with a decision. Do I want to spend ten seconds logging into my “quick” distraction, or do I give it up and revert to the productive task at hand?
Authentication, in its simplest form, is the process of verifying who you are to someone else. In the old days, this only required a firm handshake from a known friend or business associate. In the age of the Internet, though, genuinely secure authentication is a more difficult proposition.
Passwords are the O.G. of authentication. They have been around since before the invention of the computer, and will likely hold the crown as the most common method for at least a few more years.
The great challenge with passwords, though, is that they have to provide verification that you are who you say you are. It is quite easy to fake a password-based identity during an era of database dumps and supercomputers capable of rainbow table computations.
The solution is for the user to utilize a unique, complex password for each different service. Naturally, this stretches the limit of human memory, so tools like password managers were brought into existence. While password managers are a decent solution to the problem, they require an extra step every time you want to authenticate with a service. While an annoyance, if the number of services that seek to distract is greater than the number of services that provide gain, the math can work in our favor.
While using a unique, complex password is great, by introducing other factors of authentication into the process, you can further protect your accounts from would-be thieves. Services implement two-factor auth most commonly by providing a time-sensitive code either generated by a uniquely hashed algorithm (see Google Authenticator or Authy) or sent to your phone over SMS (the latter of which is highly insecure, just ask DeRay McKesson). Trust me, though, when I tell you that you really start asking yourself “Is it really worth it to copy/paste two passwords from two different sources just to check my email for the 5th time this morning?”.
So, by implementing unique passwords and multi-factor authentication, we have increased the barrier to using productive and time-wasting services alike. However, once we overcome the initial authentication process, what is keeping us from quickly popping back to Facebook in our browser before we even realize what our fingers are doing?
Websites plant a cookie in your browser when you log in that ensures that you remain logged in for a reasonable amount of time. Even if you close your tab, the cookie persists allowing you to be instantly back to their service, browsing a feed riddled with effective advertisements.
The solution, though, is to instruct your browser to forget these cookies when you close their relevant tab. By installing a cookie manager extension (Self-Destructing Cookies for Firefox or Vanilla Cookie Manager for Chrome), you can force yourself to re-authenticate if you decide to return to a time-sucking feed. There are also privacy and security benefits for destroying cookies that are not currently required.
If you are one of the majorities of Internet citizens who recognizes the need for security, has great intentions to harden your safety, but never seem to make the time to do it, think about it this way. The next time you snap out of your mid-afternoon daze of scrolling through a feed, implement a self-control mechanism while also strengthening your security. Change your password for that distraction to a unique, complex password stored in LastPass. The extra time now creates extra time later. Your future A.D.D.-self will thank you.
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer.