Thoughts on passwords

Recently, a mess was made in a client’s Gmail and Dropbox accounts. We’re not sure yet exactly how this happened, but they were hacked due to some carelessness on their end. Here I want to express some approaches we can all keep in mind to avoid the hassle a security breach can cause.

Back in 2012 I put up a post that still holds relevance. Largely it lists the salient points from a Wired article by tech journalist Mat Honan, who was hacked. We all aim to have a safe and yet convenient system, and the outcomes of a failure are:

“Catastrophic failure”: you are hacked and your digital life becomes a mess to clear up.

“Annoying everyday failure”: the inconvenience of continuing to forget passwords.

Top four priorities as I see them

  1. Use passwords
    - Always use PINs and passwords on computers & phones.
    - Strong passwords have: 12+ characters, upper & lowercase, number and symbols
    - For critical passwords use really strong passwords. By really strong I mean that you should try to reach 100% on a site like this, or +1 trillion years on a site like this. This should be the case on email accounts, bank accounts, web domain registrars, web hosting and anything else that would have a large business impact if it was compromised.
    - For other (non-business-critical) accounts, it is practical to use less complex and less unique passwords.
  2. Use a unique password for each email account
    - The point here is that if we use the same password on another site and it gets hacked, they’ll often have our email address AND password.
    - Once they can login to our email, they will be able to reset many of our other accounts.
  3. Use 2-step authentication where possible
    - Banks have been doing this for years.
    - In addition to a password, we enter a randomly generated number.
    - Google, Twitter, Dropbox and others now offer this.
  4. Have a strategy
    - If you are a business, you probably have to share passwords for online services that you use.
    - Creating a few levels of secure passwords to help ease the balance of secure & easy.
    - Services like Clipperz, passwords.google.com and 1Password can be helpful.
    - This security checklist has some good practical considerations and solutions

Using passwords will always strike a balance between security and convenience. Much the same as the physical security on your home or office, more locks and alarms does mean more keys and more false alarms.