A better personal password solution

A lot has been written recently about people getting hacked and having their digital lives (and sometimes real world live) thrown into turmoil as a result.

Most of the time, people report that they were too lax in their password systems – the biggest culprit is reusing the same, easier-to-guess password everywhere.

Here are my suggestions for finding the right balance between security and sanity.  This takes all of an hour to setup across all of the primary accounts you use, and is a great way to get yourself more secure to kick off the new year:

  1. Use Gmail, and apply the two-step verification.  Google has a security feature called “two step verification” that changes your login process so that besides a password, you must also enter a 6 digit code that is texted to your phone when you try to login.  This dramatically increases the security of your Gmail account, because an attacker would need both your password and your phone in order to access your account.
  2. Make use of Gmail’s “.’s are ignored” convention. My email address is jgirard@gmail.com.  But emails sent to j.girard@gmail.com, jg.irard@gmail.com, etc, also get to me, because Google treats those email addresses as equivalent to jgirard@gmail.com.  This is handy, because on other sites, where the “.” is not overlooked, I can use a version of my email address that includes a “.” as the username.  That way, if someone knows my email address, they don’t automatically also know my username at other sites I use.  This is particularly useful for services like Apple where obscuring the username may help to deter hackers (for example, I use jgirar.d@gmail.com as my username at Apple).
  3. Create two random 8-character passwords, the only things you will need to remember.  This is best left to a computer to create, but in any case make sure both passwords have a mix of letters and numbers, are not English words, and have at least one punctuation mark in the middle.  One of these passwords will be your Gmail password.  The other will be your “root” password and will form the basis of the passwords for every other site you visit.
  4. Create your own “hash” to build passwords for every site you use.  Let’s pretend that our root password from step 3 above is “alDk7!ru”.  I will need to commit that character combination to memory.  Then each site that I visit gets a unique password based on this root password, where (for instance) the first letter of the password is the second letter of the site URL, and the last letter of the password is the second to last letter of the site URL.  As an example, using this scheme, my password for Amazon (with a URL of www.amazon.com) would be “malDk7!ruo”, since “m” is the second letter of the “amazon” part of the URL, and “o” is the second to last letter of the “amazon” part of the URL.  Of course, you could choose any similar scheme for generating your passwords, as long as you apply the same scheme to any site you use.

Now you’re pretty secure.  You have:

  • Unique passwords for every site you visit
  • Passwords that you can actually remember (or rather “re-generate”) anytime you visit a site
  • A random password, not connected to any other site you visit for your Gmail account
  • Two-step verification on Gmail, which makes it much more secure
  • Obfuscated usernames and/or account reference IDs by virtue of using the “.’s are ignored” convention in Gmail email addresses

While this won’t guarantee you will never have your accounts compromised, it goes a long way towards discouraging would-be attackers.

Have fun!