My last post Scan, Encrypt, Store, Delete, Shred: Going Paperless! was about physically securing sensitive data in my home. The other half of a security plan is securing your online accounts. I am not an expert on security. My strategy is to be more secure than the vast majority of people on the Internet and do it in a way that is sustainable. We all know the problem. We either use easy-to-remember passwords or we reuse passwords across different sites or we become a ball of stress trying to recall which password we used with which site. Then we save passwords in our email folder and hope that it doesn’t get compromised.
Technology is always changing. What might have been considered a secure password a few years ago is now trivially easy to hack. In a few years, there may be new guidelines on passwords, but right now longer is better. And every password should be unique. Sites are being hacked all the time. When a site is hacked, the usernames and passwords are tested against other sites. You don’t want your health insurance password to be the same as your Amazon password and vice versa.
I used to have a “tough” password for important sites and an “easy” password for sites I didn’t care about. In retrospect that was a dumb approach. Compromise one of the important sites and the hackers could access all the other important sites. And my “tough” password was only 8 characters long with numbers and symbols, but because it wasn’t in the dictionary I felt comfortable with it. Processors are much faster now. That “tough” password is now trivially easy to break.
Photo by Nathan Meijer
#1 Get a Password Manager
Passwords that are tough to crack are impossible to remember. They are also hard to type correctly. Password Managers not only help remember the passwords you use for different sites, but they are able to generate very secure passwords on your behalf. A good password manager will also be able to run a security analysis on your passwords to alert you when you are reusing a password or when a password isn’t secure enough.
There are several Password Managers. This CNET article covers a few. Which one you pick will depend upon your needs and devices. I’m not going to tell you which is best. Again I am not a security expert. I will say that whichever one you use is a step up from reusing short passwords.
#2 Create a Passphrase
The password you use to secure your password manager should be long, memorable, and impossible for anyone else to guess. Mine is almost 30 characters long. An idea for creating a long passphrase is to use fictional characters, animals, numbers and string them together in a Mad Libs type sentence that is too silly to forget.
That passphrase is 31 characters long, memorable, and impossible to guess. You should be able to create something equally secure that you will not forget.
#3 Setup 2-Factor Authentication on Email
You can secure every password, but if someone hacks your email, they can start requesting lost passwords. Get 2-factor authentication. Read Two-factor authentication: What you need to know (FAQ) for a primer on the topic.
#4 Change ALL Your Passwords
You can’t assume that some hacker doesn’t already have one of your passwords already. Change them all. It will take time. Start with the sites that are most important to you. Use the Password Manager to generate the password. Here is an example of a 20 character password generated by my password manager.
Thankfully I don’t need to remember that or type it in by hand because that task is now handled by the password manager.
If during this process you decide to close old accounts, still change the password first. You don’t want your old insecure password sitting on a database table* forgotten.
#5 Delete Old Emails
Even though you’ve changed your passwords, it is still a good idea to delete any old emails announcing you’ve created an account. Some have links to reset passwords in them. Delete them all and then empty the trash.
#6 Run a Security Test
A good password manager will have a security test. Run it until you pass. Once you pass, add a recurring event to your schedule to retest your security every so often. I retest my security every 4 months.
More Secure, But Not Perfect
If you follow the above steps, you will be far more secure than the average person on the Internet. If one of your sites is compromised, the damage is contained. Some argue that the Password Manager becomes the weak point in security. Break that password and you have all the passwords. This is true. To minimize that risk, make sure your passphrase is secure (#2) and that you monitor developments in security from time to time.
The article “Severe” password manager attacks steal digital keys and data en masse talks about how some password managers were recently exploited. Most of the password managers were fixed. Despite those risks the article still advises:
On the whole, readers are likely better off using a password manager than they are using the same password for multiple sites. For that reason, Ars still recommends that people use a password manager. However, readers should remember that password managers represent a single point of failure that could lead to the complete compromise of virtually every website account they have. It’s not possible to know which managers are safer than others without a trusted third-party conducting a detailed assessment on each one. That said, well-known managers that have been available for years are probably more trustworthy than a newer one that was recently introduced into the market.
I put (2014) in the title of this post because I expect security strategies will change at some point.
* When you create an account on a site, they are supposed to store your password in a secure manner. Meaning it should be encrypted on their database and not stored as plain text. That way if they are hacked and the hackers have a copy of the database, they won’t be able to make use of the passwords. Unfortunately, not every site uses best practices. OKCupid was storing 42 million user passwords in plain text. This is a big reason why every password should be unique. I wonder how many of the OKCupid customers used the same password and email to access their online banking?
UPDATE 2017: Check out this Password Strength Tool to get a feel for how secure your password might be.