No security is absolute and there isn’t a single password perfect enough to protect you from every type of hack that exists now or will in the future.
Unfortunately there’s no mystical password out there in the ether to that can secure all of your online accounts forever. One great password isn’t nearly enough. You need a layered password strategy that requires a unique login for each of your online accounts. But that same technology that forces you to have multiple passwords – giving you a headache – can actually relive you of having to do any additional brainwork at all.
Security Is A Strategy, Not A Solution
We tend to focus on the endpoints of security like a metaphorical egg. Hard shell around the exterior but once it’s cracked, nothing stopping you from the yolk. Having multiple passwords is like adding shell after shell to your online world and identity, so if someone does hack an account, they’re limited in what they have access to.
What most hackers do when they gain access to any of your online accounts is not immediately try to empty out your bank account. They’ll use your email address to identify other accounts, hoping you’re using a single password for all of them. (More than 50% of you are.) Slowly gathering information, they’ll then take what they can get, whether it’s personal messages, money, or your questionable spring break photos. When you’re only using a single password, you can never been sure what’s been stolen if one of your accounts is compromised.
So, rather than having to change all of your passwords, set up multiple passwords so you only have to change one when the day comes you get hacked. Luckily, technology is on our side to do most of the work for us.
Tools To Create And Track All Of Your Passwords
Don’t bother trying to conjure up complex passwords you’ll end up forgetting and resetting over and over. Your brain is the most complex computer in the known universe, use it for what its good at, which isn’t coming up with passwords.
- KeePass (free) – My favorite password management tool, it lets you store all of your account usernames and passwords on your hard drive in an encrypted folder. You only need to remember the single KeePass password, then just copy and paste passwords as you log into Facebook, email, and your bank accounts. KeePass is also available on iOS, Android, Blackberry as a mobile app, which you can sync with your desk or laptop.
I have over 100 passwords stored on my KeePass, one for each account that’s randomly generated as complex as a given site will allow. Typically, my passwords are 16-40 characters long with numbers, symbols, upper and lower case characters.
And I don’t know any of them except one: to KeePass itself. All of the other places I log in regularly: Twitter, Facebook, and my blog require me to copy and paste the password from KeePass into the site. That’s literally 4 mouse clicks for some peace of mind. Not only do I not have to remember much, it’s quick – and I can probably log into all of my accounts faster than you can type in even the crappiest 123password!
- Lastpass – Another free password manager that’s easy to use. The premium version, which you’ll need for your mobile devices, costs $12 per year.
- 1Password – A sophisticated user-friendly solution, but it comes at a price. There’s a 30-day free trial period, after that, depending on the license you want (family, pro, single), prices start at $49.99.
Thieves Aren’t The End Of Your Worries
You leave a lot of your personal rights at international borders when crossing into a new country, even one you might presume to legally protect your privacy. It’s important to understand your digital rights as a traveler in the free world and take these steps to protect your laptop from invasive governments. Since you may be forced (often legally) to give up passwords to your electronics, free software like Truecrypt hidden folders can hide sensitive password files in order to keep your online accounts safe from the NSA and other spy agencies.
Passwords Aren’t Absolute – Use The Next Step When You Can
There are a number of ways to hack an account that’s secured by password only. A hacker may try guessing the most common passwords, breaking the site, or fooling you into revealing some of your account information. (Like this attack particular attack against Tumblr.) It’s easy to steal what someone knows – which is why many sites take advantage of two-factor authentication – something you have combined with something you know.
Both Paypal and many HSBC banking accounts have the option of two-factor authentication; in the form of a small password-generating token they send to you for $5 or less. These small devices display a new number every 30-60 seconds which you need to enter with your password. Just having the password isn’t enough.
Many financial institutions offer hardware tokens but typically don’t advertise them for consumer accounts. Call you bank and other money-managing service providers to see if they’ve got tokens available for account logins. That way, if your password is compromised, the attacker won’t be able to get into your account. Unless of course you didn’t follow my advice above and are using the same password for each login.
Don’t Just Keep Tweaking The Same Password Ending
It’s important, which is why I mention it again, that you don’t come up with your own passwords. Even if you tweak the same password root for each account (e.g. Kermit123!, Kermit-5566, etc.) for a computer doing the guessing, it really doesn’t matter at all. The most used password roots are widely known and generally consist of real words, sequential numbers, and proper names.
- Chances are you’ve used one of these 250 passwords at some point.
Go random and use a unique password for each of your online accounts, otherwise you’re only fooling yourself into feeling secure.
Rules To Login By
As a reminder, these are the basic best practices you should follow.
- Use A Password Manager – KeePass or LastPass (both mentioned above) are my personal recommendations.
- Generate A Unique Password For Each Account – Both programs can create randomly generated passwords for you. Use this feature and don’t bother trying to remember any of them, except the password for the password program itself.
- Ask Your Banks For Tokens – If they don’t offer them, suggest that they do.
- Don’t Send Your Passwords Over Email – It’s like writing your personal secrets on a postcard. If you do have to send a password, break it up over two mediums.
- Any Password You Came Up With In Your Head – …isn’t a good password. Magicians have known for a long time, we all tend to pick the same random numbers.
You Know What To Do So Do It Now!
A dedicated 15 minutes should be about what you need to download one of the password managers above, generate passwords for each of your accounts, and then go online and change each one. A quarter of an hour is a small amount of time to pay compared to the effort it takes to recover from a hacked email, bank, and Facebook account. Oh and Twitter. Because you used practically the same password for that too.
Finally, keep in mind that none of your online accounts aren’t worth using a unique and randomly generated password. That off-the-cuff password you selected for your unused Pinterest account can reveal a lot about you.The first step, for a hacker, is the hardest; after that it depends on you.
This is the updated and refreshed version of a guest post I originally wrote for Travelllll.com, which closed its digital doors last year.
Wow! I never really thought about a lot of this…especially having to give up my passwords at a border. What an informative post!
It happens much more commonly than people think and happy to hear you found this post useful!
I am in desperate need of using a password manager, but my main concern is, what happens if that gets hacked? Then you have lost everything.
Not sure about the others, but Lastpass offers 2-factor authentication – they can either send you a yubi-key (sounds similar to the Tokens that Anil mentions, or you can print off a random alpha-numeric grid that you change every 100 log-ins or so) – every time you log into to Lastpass, you have to enter in a string of numbers or letters from the random grid, that only you have. So, even if someone figured out your password, they’d be s.o.l. since they wouldn’t have your grid (or Yubi-key if you had that)
That is a good option SuperGirl mentions.
Ultimately, the protection of your passwords rests on where the password database file is stored. If that’s locally on your laptop/tablet/phone, you’ll want to remote delete it in case of theft:
http://foxnomad.com/2012/01/31/4-ways-to-track-and-recover-your-stuff-if-it-gets-stolen-when-traveling/
Generally speaking though, as long as those files are stored locally, they’re much less vulnerable to attack whereas your online accounts are always Internet-facing. There is always a tradeoff in security and being able to have individual, randomly-generated passwords for all of your accounts moves your point of failure to a much more secure position.
I’ve started to use the built in feature that the Mac OS has, keychain. Seems to do the trick rather well on multiple devices. I did used to use 1password before but trying to use as many built in OS features on my Mac as possible to save storage on my Mac Air’s small Flash Drive (always a problem).
Thank you for the tip about having a Paypal security key, I had no idea they had these and just ordered one now, cheers for the tip
I’m happy to hear it; too bad Paypal doesn’t do a better job of advertising the tokens they offer.
Interesting information and very comprehensive. Thanks for sharing!
This is a great reminder for me to update many of passwords..today! and to store them effectively
It will save you a lot of potential time and trouble in the future!