Thoughts on passwords

https://wesort.co.uk/blog/writing/thoughts-on-passwords

Recently, a mess was made in a client’s Gmail and Dropbox accounts. We’re not sure yet exactly how this happened, but they were hacked due to some carelessness on their end. Here I want to express some approaches we can all keep in mind to avoid the hassle a security breach can cause.

Back in 2012 I put up a post that still holds relevance. Largely it lists the salient points from a Wired article by tech journalist Mat Honan, who was hacked. We all aim to have a safe and yet convenient system, and the outcomes of a failure are:

“Catastrophic failure”: you are hacked and your digital life becomes a mess to clear up.

“Annoying everyday failure”: the inconvenience of continuing to forget passwords.

Top four priorities as I see them

  1. Use passwords
    - Always use PINs and passwords on computers & phones.
    - Strong passwords have: 12+ characters, upper & lowercase, number and symbols
    - For critical passwords use really strong passwords. By really strong I mean that you should try to reach 100% on a site like this, or +1 trillion years on a site like this. This should be the case on email accounts, bank accounts, web domain registrars, web hosting and anything else that would have a large business impact if it was compromised.
    - For other (non-business-critical) accounts, it is practical to use less complex and less unique passwords.
  2. Use a unique password for each email account
    - The point here is that if we use the same password on another site and it gets hacked, they’ll often have our email address AND password.
    - Once they can login to our email, they will be able to reset many of our other accounts.
  3. Use 2-step authentication where possible
    - Banks have been doing this for years.
    - In addition to a password, we enter a randomly generated number.
    - Google, Twitter, Dropbox and others now offer this.
  4. Have a strategy
    - If you are a business, you probably have to share passwords for online services that you use.
    - Creating a few levels of secure passwords to help ease the balance of secure & easy.
    - Services like Clipperz, passwords.google.com and 1Password can be helpful.
    - This security checklist has some good practical considerations and solutions

Using passwords will always strike a balance between security and convenience. Much the same as the physical security on your home or office, more locks and alarms does mean more keys and more false alarms.

Further writing »