Unfortunately there’s no mystical password out there in the ether to that can secure all of your online accounts forever. One great password isn’t nearly enough. You need a layered password strategy that requires a unique login for each of your online accounts. But that same technology that forces you to have multiple passwords – giving you a headache – can actually relive you of having to do any additional brainwork at all.
Security Is A Strategy, Not A Solution
We tend to focus on the endpoints of security like a metaphorical egg. Hard shell around the exterior but once it’s cracked, nothing stopping you from the yolk. Having multiple passwords is like adding shell after shell to your online world and identity, so if someone does hack an account, they’re limited in what they have access to.
What most hackers do when they gain access to any of your online accounts is not immediately try to empty out your bank account. They’ll use your email address to identify other accounts, hoping you’re using a single password for all of them. Slowly gathering information, they’ll then take what they can get, whether it’s personal messages, money, or your questionable spring break photos. When you’re only using a single password, you can never been sure what’s been stolen if one of your accounts is compromised.
So, rather than having to change all of your passwords, set up multiple passwords so you only have to change one when the day comes you get hacked. Luckily, technology is on our side to do most of the work for us.
Tools To Create And Track All Of Your Passwords
Don’t bother trying to conjure up complex passwords you’ll end up forgetting and resetting over and over. Your brain is the most complex computer in the known universe, use it for what its good at, which isn’t coming up with passwords.
- KeePass (free) – My favorite password management tool, it lets you store all of your account usernames and passwords on your hard drive in an encrypted folder. You only need to remember the single KeePass password, then just copy and paste passwords as you log into Facebook, email, and your bank accounts. KeePass is also available on iOS, Android, Blackberry as a mobile app, which you can sync with your desk or laptop.
I have over 100 passwords stored on my KeePass, one for each account that’s randomly generated as complex as a given site will allow. Typically, my passwords are 16-22 characters long with numbers, symbols, upper and lower case characters.
And I don’t know any of them except two. One is to KeePass itself, and the other is to my email account. All of the other places I log in regularly: Twitter, Facebook, and my blog require me to copy and paste the password from KeePass into the site. That’s literally 4 mouse clicks for some peace of mind. Not only do I not have to remember much, it’s quick – and I can probably log into all of my accounts faster than you can type in even the crappiest 123password!
- Lastpass is an another free password manager. Easy to use. The premium version, which you’ll need for your mobile devices, costs $12 per annum.
- 1Password is a sophisticated user-friendly solution, but it comes at a price. There’s a 30-day free trial period, after that, depending on the licence you want (family, pro, single), prices start at $49.99.
Passwords Aren’t Absolute – Use The Next Step When You Can
There are a number of ways to hack an account that’s secured by password only. A hacker may try guessing the most common passwords, breaking the site, or fooling you into revealing some of your account information. (Like this attack last year against Tumblr.) It’s easy to steal what someone knows – which is why many sites take advantage of two-factor authentication – something you have combined with something you know.
Both Paypal and many HSBC banking accounts have the option of two-factor authentication; in the form of a small password-generating token they send to you for $5 or less. These small devices display a new number every 30-60 seconds which you need to enter with your password. Just having the password isn’t enough.
Many financial institutions offer hardware tokens but typically don’t advertise them for consumer accounts. Call you bank and other money-managing service providers to see if they’ve got tokens available for account logins. That way, if your password is compromised, the attacker won’t be able to get into your account. Unless of course you didn’t follow my advice above and are using the same password for each login.
Don’t Just Keep Tweaking The Same Password Ending
It’s important, which is why I mention it again, that you don’t come up with your own passwords. Even if you tweak the same password root for each account (e.g. Kermit123!, Kermit-5566, etc.) for a computer doing the guessing, it really doesn’t matter at all. The most used password roots are widely known and generally consist of real words, sequential numbers, and proper names.
- Chances are you’ve used one of these 250 passwords at some point.
Go random and use a unique password for each of your online accounts, otherwise you’re only fooling yourself into feeling secure.
Rules To Login By
As a reminder, these are the basic best practices you should follow.
- Use A Password Manager – KeePass or LastPass are my personal recommendations.
- Generate A Unique Password For Each Account – Both programs can create randomly generated passwords for you. Use this feature and don’t bother trying to remember any of them, except the password for the password program itself.
- Ask Your Banks For Tokens – If they don’t offer them, suggest that they do.
- Don’t Send Your Passwords Over Email – It’s like writing your personal secrets on a postcard. If you do have to send a password, use Skype (chat or voice). The connections are encrypted.
- Any Password You Came Up With In Your Head – …isn’t a good password. Magicians have known for a long time, we all tend to pick the same random numbers.
You Know What To Do So Do It Now!
A dedicated 15 minutes should be about what you need to download one of the password managers above, generate passwords for each of your accounts, and then go online and change each one. A quarter of an hour is a small amount of time to pay compared to the effort it takes to recover from a hacked email, bank, and Facebook account. Oh and Twitter. Because you used practically the same password for that too.
Finally, keep in mind that none of your online accounts aren’t worth using a unique and randomly generated password. That off-the-cuff password you selected for your unused Pinterest account can reveal a lot about you.The first step, for a hacker, is the hardest; after that it depends on you.
Photo by: ericnvntr
Good recommendations, Anil. I use LastPass but don’t have a premium account for mobile. Since I frequently use other browsers and computers, I don’t use the randomized password feature but instead create site-specific passwords based on a non-word root.
Thanks Fred, an especially good reason to use individual passwords and good password practices when using computers that aren’t under your control.
I have been watching the debate concerning password managers. I know the idea is nice because it make it easier to manage 30 different passwords. Ultimately the fact is strong passwords do not replace the need for other effective security control. These companies need to add additional layers of authentication for access and transaction verification without unreasonable complexity and this will help their customers by implementing some form of 2FA were you can telesign into your account and have the security knowing you are protected if your password were to be stolen. This should be a prerequisite to any system that wants to promote itself as being secure. With this if they were to try to use the “stolen” password and don’t have your phone nor are on the computer, smartphone or tablet you have designated trusted, they would not be able to enter the account. This one of the biggest problems with internet security, people are still encouraged to rely on their password as if they were all that is needed.
True, but you’ve got to work within the framework you have or avoid sites that use passwords only – which is most of the authenticating sites out there. In my experience, it’s generally regulation that pushes (rather, forces) companies to implement stronger measures and why you see so many more business accounts with hardware tokens and so on. It’s got to come from the top down, ideally with security experts helping to craft sensible requirements in various countries. I’m afraid though we’re a long way from that on the consumer side of things.