A lot has been written recently about people getting hacked and having their digital lives (and sometimes real world live) thrown into turmoil as a result.
Most of the time, people report that they were too lax in their password systems – the biggest culprit is reusing the same, easier-to-guess password everywhere.
Here are my suggestions for finding the right balance between security and sanity. This takes all of an hour to setup across all of the primary accounts you use, and is a great way to get yourself more secure to kick off the new year:
- Use Gmail, and apply the two-step verification. Google has a security feature called “two step verification” that changes your login process so that besides a password, you must also enter a 6 digit code that is texted to your phone when you try to login. This dramatically increases the security of your Gmail account, because an attacker would need both your password and your phone in order to access your account.
- Make use of Gmail’s “.’s are ignored” convention. My email address is jgirard@gmail.com. But emails sent to j.girard@gmail.com, jg.irard@gmail.com, etc, also get to me, because Google treats those email addresses as equivalent to jgirard@gmail.com. This is handy, because on other sites, where the “.” is not overlooked, I can use a version of my email address that includes a “.” as the username. That way, if someone knows my email address, they don’t automatically also know my username at other sites I use. This is particularly useful for services like Apple where obscuring the username may help to deter hackers (for example, I use jgirar.d@gmail.com as my username at Apple).
- Create two random 8-character passwords, the only things you will need to remember. This is best left to a computer to create, but in any case make sure both passwords have a mix of letters and numbers, are not English words, and have at least one punctuation mark in the middle. One of these passwords will be your Gmail password. The other will be your “root” password and will form the basis of the passwords for every other site you visit.
- Create your own “hash” to build passwords for every site you use. Let’s pretend that our root password from step 3 above is “alDk7!ru”. I will need to commit that character combination to memory. Then each site that I visit gets a unique password based on this root password, where (for instance) the first letter of the password is the second letter of the site URL, and the last letter of the password is the second to last letter of the site URL. As an example, using this scheme, my password for Amazon (with a URL of www.amazon.com) would be “malDk7!ruo”, since “m” is the second letter of the “amazon” part of the URL, and “o” is the second to last letter of the “amazon” part of the URL. Of course, you could choose any similar scheme for generating your passwords, as long as you apply the same scheme to any site you use.
Now you’re pretty secure. You have:
- Unique passwords for every site you visit
- Passwords that you can actually remember (or rather “re-generate”) anytime you visit a site
- A random password, not connected to any other site you visit for your Gmail account
- Two-step verification on Gmail, which makes it much more secure
- Obfuscated usernames and/or account reference IDs by virtue of using the “.’s are ignored” convention in Gmail email addresses
While this won’t guarantee you will never have your accounts compromised, it goes a long way towards discouraging would-be attackers.
Have fun!
Good stuff, John! I have pretty strong passwords (less strong than what you suggest) but I do use the same few in multiple places. Didn’t know about the gmail thing at all.
The key with this, I think, is that its very hard to be 100% secure anymore, but its possible to change things up to avoid the most common exploited mistakes in choosing passwords. Thanks for the comment!
This has been on my mind, so your post is timely for me. I’m wondering what do you think about solutions like keepersecurity or lastpass?
I’m a fan of these kinds of services – especially if you use them to generate unique passwords for every site you visit. In keeping with the idea that a password solution is only as strong as the weakest link, if you use lastpass (for example) to store a bunch of passwords that are easy to guess or reuse the same password on multiple sites, it won’t offer you any advantages. Similarly, if you use lastpass’s autologin features but don’t password protect your computer, anyone that’s able to launch a browser on your machine can access any site whose credentials have been “remembered” by lastpass.
If, on the other hand, you use lastpass to generate unique passwords for every site, have a near impossible-to-guess master password, and password protect your machine as well, you’re about as secure as possible.
The only advantage my method has is that it makes it possible to enter your password from memory when asked for it. For instance, when I connected my AppleTV to Netflix, I already knew my Netflix password and didn’t have to go look it up in lastpass while I was setting things up. As more and more services are interconnected this way, the convenience is not insubstantial.
Thanks for the detailed response. I really appreciate you doing some thinking on this subject for the rest of us.
My pleasure!