After a friend emailed me today saying her PayPal account was hacked to launder money, I finally decided to write down my recommendations for password security. This is very important topic, and luckily one that can be addressed in three relatively easy steps.
My friend recalled that I had mentioned 1Password when a similar thing had happened to her in the past, and I still highly recommend 1password, but it is only the third and final step in locking down your online identity.
The first step is to realize that in order to be more secure – ironically you can never be too secure or completely secure – you have a different strong password for each account/website/service that you use. That is absolutely vital because if you only have one (or even a couple) passwords that you use, then when (not if) someone somehow gets that password, you’ve just given away the key to the city. As time goes on, this will become an ever increasing problem online and in general – so the earlier you switch to different passwords for different accounts, the better.
Having a different password for each account can obviously become an evil game of Memory quite quickly, so the second step is to come up with a simple system to generate and then recall your passwords. The ideal system consists of a baseword and a few rules to modify that baseword for any given account. So if your baseword is the Japanese word “masago” – foreign words written with Latin letters increase your security – you can develop rules to modify that word when you need a password for your Google account for example. There are lots of potential rules – see this excellent Lifehacker article with a few good rule examples in it – but the idea is to end up with a rule system that has the following qualities:
- You can easily generate the password in your head – (without any computers, pens, or papers)
- Baseword is at least 6 characters
- The resulting passwords are at least 8 characters
- The resulting passwords contain letters and numbers
- You have a rule when sites require passwords with non-alphanumeric characters (spaces, symbols, etc.)
1Password is the third step, because it essentially creates a very very secure database for all of your different passwords (and their respective accounts). Once installed on your Mac (or PC), 1Password can automatically fill in login forms for you, as well as ask you to remember new passwords. There is a whole lot more to 1Password (it can securely store your credit card information for autofilling, secure notes, etc.), but mainly it just makes it much easier to not have to remember all of your passwords. There are even iPhone & Android apps which work great too.
1Password’s name comes from the fact that access to your encrypted 1password database is secured by a single password. This single password shouldn’t adhere to your rules above, because it needs to be much more secure (its literally the key to the city). That’s why I use and recommend a passphrase for 1Password access, such as a short poetic verse, lyric, quote, etc, including capitalization and punctuation – Weezer’s “I’ll bring home the turkey if you bring home the bacon” is a great example (if only for its obscurity).
So there you have it – three steps to a significantly more secure online identity. I recommend them to everyone I can because data breaches can be horrific in terms of the depth, breadth, and duration of consequences, and they are an unfortunate reality of technology today. It is also important to remember that no password system, rule, or application will keep you totally safe, but learning more about online threats and staying careful online will go a long way to improving your security.
Finally, I want to mention that I did not come up with these three steps on my own, but rather they are the result of countless articles about online security and passwords (the venerable Lifehacker has covered these subjects extensively). I have benefited greatly from their wisdom, and I hope that all of you do too.