Thoughts on passwords
Recently, a mess was made in a client’s Gmail and Dropbox accounts. We’re not sure yet exactly how this happened, but they were hacked due to some carelessness on their end. Here I want to express some approaches we can all keep in mind to avoid the hassle a security breach can cause.
Back in 2012 I put up a post that still holds relevance. Largely it lists the salient points from a Wired article by tech journalist Mat Honan, who was hacked. We all aim to have a safe and yet convenient system, and the outcomes of a failure are:
“Catastrophic failure”: you are hacked and your digital life becomes a mess to clear up.
“Annoying everyday failure”: the inconvenience of continuing to forget passwords.
Top four priorities as I see them
- Use passwords
- Always use PINs and passwords on computers & phones.
- Strong passwords have: 12+ characters, upper & lowercase, number and symbols
- For critical passwords use really strong passwords. By really strong I mean that you should try to reach 100% on a site like this, or +1 trillion years on a site like this. This should be the case on email accounts, bank accounts, web domain registrars, web hosting and anything else that would have a large business impact if it was compromised.
- For other (non-business-critical) accounts, it is practical to use less complex and less unique passwords.
- Use a unique password for each email account
- The point here is that if we use the same password on another site and it gets hacked, they’ll often have our email address AND password.
- Once they can login to our email, they will be able to reset many of our other accounts.
- Use 2-step authentication where possible
- Banks have been doing this for years.
- In addition to a password, we enter a randomly generated number.
- Google, Twitter, Dropbox and others now offer this.
- Have a strategy
- If you are a business, you probably have to share passwords for online services that you use.
- Creating a few levels of secure passwords to help ease the balance of secure & easy.
- Services like Clipperz, passwords.google.com and 1Password can be helpful.
- This security checklist has some good practical considerations and solutions
Using passwords will always strike a balance between security and convenience. Much the same as the physical security on your home or office, more locks and alarms does mean more keys and more false alarms.