It seems that every day I add a new password to my list. Maybe I found a new site online to purchase things from and had to create a new account or maybe I had to create an account to read a news article, or even to get a coupon. Whatever the reason I now have over one hundred and fifty logins that I need to remember. Even if my brain worked as well as it did thirty years ago I would have a hard time with this so lets look at what we can do to manage this situation.
Picking a password
The first problem we have is that we should never use the same password at two different places. Sure it makes our lives easier if we only have to remember one password but it also makes the lives of the criminals out to steal our information easier. Since I don’t want my information stolen I need different passwords for each use, currently over one hundred fifty of them.
In a perfect world each password would be a randomly generated series of upper and lower case letters, numbers and symbols. Each password would have nothing in common with any other and nothing to do with me. This certainly works well in securing our accounts and is exactly what we should do.
To make this possible one should have a password program that can not only generate these very secure passwords and store them, but also be easily to copy and paste the passwords into websites as we need them. Since these passwords are random and complex, remembering them and typing them in can be a chore. Fortunately software can make this quite easy and we will be discussing software solutions shortly.
Another method which is slightly less secure but substantially easier to use is to pick a single complex password and alter it depending on the website you are visiting. For example you could have a password of “u5*wHH!30@?” which is a pretty secure password and then alter it for the website you are visiting. Lets take Amazon.com for example and use the first and last letter of the website and combine this with our complex password to get “ANu5*wHH!30@?”. For eBay this would be “EYu5*wHH!30@?” and so on.
This makes it very easy to remember your password for any website and you could even make it more complex by putting something else such as the last two digits of the year on the other end. There are tons of possible variations and this is just a sample of what you could do.
Using this method can be hacked as well because if the hacker gets into one system it is possible that they could catch on to what you are doing. While possible, this is very unlikely as they would have to have access to more than one of your passwords to see the pattern and given that the majority of data breaches tend to result in millions of passwords being revealed it is not likely that anyone will ever go after your password in particular.
If you do decide to use this method do not use the name of the website as that will be a dead giveaway at what you are doing. For example, “amazonu5*wHH!30@?” will be obvious whereas using the first and last letter not so much. You could also use the last two, first two and last one, etc.
I personally prefer this method as it allows me to remember the password and log into most of my accounts without having to open my password manager software.
To change or not to change
It has been a common practice to have users change their passwords every so often. This unfortunately is a really bad idea. Changing passwords frequently results in people changing their passwords either incrementally such as adding a date to the end or incrementing a number on the end, or it causes them to use easy passwords.
There is no doubt that if you think your password has been guessed or hacked then you should immediately change it. You should not however simply change it for the sake of change. There is no evidence that your new password will be any more secure than your last just because it is new. It is also more likely that you will be forced to use some kind of assistance to remember your password or use the forgotten password feature to reset it over and over again.
If your password has been compromised you should also use a new password that in no way resembles the old. In other words, do not just put a “1” on the end of the password and call it done. This is begging for your account to be compromised again as hackers will often try variations of the old password on the account after a password change to attempt to gain access.
Two factor authentication
Two factor authentication means that it takes two things to gain access to your account. This could be that the website asks you for a password and then sends your cellphone a text message with a code in it that you have to put in after your standard password. This is designed to ensure that not only do you have to know the password but also have physical access to the phone on record in order to gain access to the account.
As a general rule two factor is far more secure than standard access control. If it is not too inconvenient for you and it is offered, I would suggest you use it. There is no real downside other than if you lose your phone and need to log in.
This brings me to the fact that two factor can and has been bypassed. One story I have heard is that someone called in to the person’s cell phone provider and used social engineering (lies, bluffs, etc) to get the cellphone company to change the phone number to a different SIM card which was installed in a different phone. The hackers then used the same techniques to change the email password on the person’s email using the phone as proof of who they were. Now they used the forgot password feature of the website which sent a new password to the compromised email address and the two factor code to the phone on record, giving the hackers complete access.
The odds are this will never happen to you unless you are famous, infamous or very rich. Still, you need to know so you do not think two factor makes you impervious to hackers.
Password management software
There are a lot of different pieces of software that can help you with your passwords. These exist for devices such as your phone or tablet and for computers. Some have password generators built in, some can paste login information directly into forms for you, some allow you to share login information with your family or business associates. Picking the right software for you is largely a matter of what features and platforms (such as iOS and Android, Windows and MacOS) you want to run on.
I use 1Password from www.1password.com. This application runs on all my iOS devices with just one purchase, has a reader for my android devices, and has a version for my Windows computer (they have one for MacOS as well, I just don’t use my Mac so much that I would need it there). The password vault (file that contains the passwords) is an encrypted file that can be stored on a cloud service such as Dropbox (it has Dropbox support built in).
Other programs do things like store the password vault on their servers or provide a web interface instead of having everything local. I prefer this method as I can make several backups of my vault easily and can look up passwords even when I may not have internet access (local lookups are supported as the local file syncs with the cloud when you are online).
1password also provides me a graphical view showing the strength of my passwords so I know at a glance which ones I need to change and make stronger.
You may be asking if you use the method we discussed of incorporating part of the website name into a singular password why you would need a password manager at all, and that is a great questions which has several answers.
Some of the websites I visit require an email address as the login name and some want a username that can not contain symbols so an email address will not work. I also tend to use multiple email addresses depending on how much I think the site will spam me. Very few sites get my primary personal email address and consequentially I get very little spam.
Some websites restrict the use of symbols in the password while others require their use. This means that the complex password of “u5*wHH!30@?” that we use as a base for all our passwords will not work in some cases because of the symbols and so we need to have a second password for those sites. This can also be made more difficult by some sites requiring passwords of more than ten characters while others have a maximum length of ten characters.
This all amounts to the fact that no matter how hard we try, one base password with one username will never be enough and so remembering things might be easier by using the methods we discussed, it will never be one size fits all. Since we do not want to keep passwords written on an index card taped to the bottom of our keyboard (you would be amazed how many people actually do that) we need something that can help us, password management software.
Some websites have decided that in addition to passwords they want you to answer some security questions. The problem here is that there is not always a suitable question and the answers can be rather private, and frankly, none of their business.
The solution to this is to lie. Yes, my mother told me not to do that too, but in this case I am sure she will understand. Lie through your teeth.
The first question I get here is why not tell the truth? Because if someone does a little research on the internet they can find out things like the street you grew up on, your favorite actor, your favorite color, you mother’s maiden name, etc. If you tell the truth then all someone has to do is some research and you are compromised. If you lie however, they can not look up the answer.
So how do you remember the lies you told? Your mother was right about this, if you tell a lie eventually you will forget what you said and it will come back to bite you. Fortunately mother never thought I would put those lies in the notes section of my password manager! This makes it easy to look up when you need the answer to those pesky questions.
This brings me to my last point. If your intent is to be secure on the internet, never answer a question truthfully unless you have a very good reason to do so. I tend to give my real birthday to certain places that give me a treat or discount on my birthday and lie to everyone else. This makes it much more difficult for someone to hack multiple accounts because they have no idea what information I put in where. Many of my accounts have the wrong city, state, phone, age, birthday, sex and more. I want it to be as difficult for hackers as possible.
Don’t get me wrong, putting incorrect information will not guarantee your security online but it is one more digital brick in the firewall protecting you and yours from the hackers. Every brick helps!