A better personal password solution

A lot has been written recently about people getting hacked and having their digital lives (and sometimes real world live) thrown into turmoil as a result.

Most of the time, people report that they were too lax in their password systems – the biggest culprit is reusing the same, easier-to-guess password everywhere.

Here are my suggestions for finding the right balance between security and sanity.  This takes all of an hour to setup across all of the primary accounts you use, and is a great way to get yourself more secure to kick off the new year:

  1. Use Gmail, and apply the two-step verification.  Google has a security feature called “two step verification” that changes your login process so that besides a password, you must also enter a 6 digit code that is texted to your phone when you try to login.  This dramatically increases the security of your Gmail account, because an attacker would need both your password and your phone in order to access your account.
  2. Make use of Gmail’s “.’s are ignored” convention. My email address is jgirard@gmail.com.  But emails sent to j.girard@gmail.com, jg.irard@gmail.com, etc, also get to me, because Google treats those email addresses as equivalent to jgirard@gmail.com.  This is handy, because on other sites, where the “.” is not overlooked, I can use a version of my email address that includes a “.” as the username.  That way, if someone knows my email address, they don’t automatically also know my username at other sites I use.  This is particularly useful for services like Apple where obscuring the username may help to deter hackers (for example, I use jgirar.d@gmail.com as my username at Apple).
  3. Create two random 8-character passwords, the only things you will need to remember.  This is best left to a computer to create, but in any case make sure both passwords have a mix of letters and numbers, are not English words, and have at least one punctuation mark in the middle.  One of these passwords will be your Gmail password.  The other will be your “root” password and will form the basis of the passwords for every other site you visit.
  4. Create your own “hash” to build passwords for every site you use.  Let’s pretend that our root password from step 3 above is “alDk7!ru”.  I will need to commit that character combination to memory.  Then each site that I visit gets a unique password based on this root password, where (for instance) the first letter of the password is the second letter of the site URL, and the last letter of the password is the second to last letter of the site URL.  As an example, using this scheme, my password for Amazon (with a URL of www.amazon.com) would be “malDk7!ruo”, since “m” is the second letter of the “amazon” part of the URL, and “o” is the second to last letter of the “amazon” part of the URL.  Of course, you could choose any similar scheme for generating your passwords, as long as you apply the same scheme to any site you use.

Now you’re pretty secure.  You have:

  • Unique passwords for every site you visit
  • Passwords that you can actually remember (or rather “re-generate”) anytime you visit a site
  • A random password, not connected to any other site you visit for your Gmail account
  • Two-step verification on Gmail, which makes it much more secure
  • Obfuscated usernames and/or account reference IDs by virtue of using the “.’s are ignored” convention in Gmail email addresses

While this won’t guarantee you will never have your accounts compromised, it goes a long way towards discouraging would-be attackers.

Have fun!

Putting down the masks: Facebook and the collapse of identity

A curious thing happened a few years ago when I came back to Facebook after a break: I was afraid to post anything.

Well not afraid exactly, but confused: I couldn’t think of anything that would make equal sense to all of my Facebook friends.  If I posted about the perils of venture capital, my non-work friends wouldn’t care much about it, and if I posted about my kids, my work friends might find it strange.

It turns out this wasn’t a problem of imagination — it was a problem of identity.

Basically, I couldn’t figure out a way to post something that would fit all of my various identities — in other words, I couldn’t find any single status update that would fit all of the roles I was playing in my life.

This concerned me.

I wasn’t so worried about not finding the right words to say. mind you.  What worried me was that I was playing so many roles and that some of them seemed to run counter to others (an enterprise software company CEO who also played guitar and liked to read books on quantum physics and play Monopoly with his kids?  I wasn’t sure how to hold all of those disparate things together.)

In the end I need not have been worried: the problem is not a new one.  If we take a paleo-view on all of this we see that even in the earliest iterations of culture, individuals had to play multiple and sometimes conflicting roles (take the tribal chief, who also had a role as a mate, a hunter among hunters, a father, and a son).

The real challenge I was facing, though, was that the Facebook of a few years ago didn’t support the idea of context.  Anything I published to the site was by definition broadcast to all of my friends, regardless of the role that I played in their lives and they played in mine. Colleagues and high school friends and my family all got the same thing. This, of course, has led people to all kinds of curious decisions about using Facebook — only accepting friend requests from coworkers at or above them on the org chart for example (that is, people that fit certain contexts) or even creating multiple Facebook profiles to represent separate personae (I know many teachers that have done this).

Google was tackling precisely this problem when they launched Google+ with the concept of circles at the core — the “circle” idea in Google+ is centered around identity, and basically allows me to show different faces to different groups of people.  Facebook followed the circles experiment with its own take, allowing Facebook users to publish only “to” (or “at”) certain groups of friends, excluding others.

The reality, though, is that the process of building and maintaining theses “contexts” in Facebook and Google+ are too cumbersome to be of much use, so not many people use them.  What has resulted, though, is a little unexpected: I would argue that these technologies have caused a kind of “collapse” of multiple identities back down into a single cohesive identity for many of us.

This is a wild and unprecedented result, if its true.  I can say that for me this is exactly what has happened — I decided that the easiest thing to do was collapse all of the personae, and settle on just one: me.  The result is that what I write here, on Facebook, on Twitter, and pretty much anywhere else is written in the same voice and from the same viewpoint.  I don’t attempt much to manage this identity vs. that one anymore.  And I’m much happier for it.

It’s pretty clear to me that I’m not the only one that has made this choice and is now living this way.  I don’t have to look much further than Facebook itself to see friends of mine that are captains of industry posting pictures of themselves in shirtsleeves at the neighborhood bbq.  And while it may make PR people and image consultants squirm, I think the effect is much more trust and authenticity than could ever be effectively manufactured by marketers.  It can lead to some messiness, to be sure, but being human is a messy business, and I’ll take messy and authentic over polished and opaque any day.