Ben Franklin notwithstanding*, you can sometimes find an acceptable trade-off between liberty and security. A friend just had her Twitter account hacked and used for spam, an occurrence I've seen increasingly frequently over the last year. So, just a suggestion, but if you're the sort of person who has chosen an easy-to-remember password and used it on multiple sites... just stop. Now.
Look, I know it's not easy. A year ago, I was as guilty as you, but I have since repented my sins. I made a New Years Resolution last year was to secure my online presence. It took the better part of a year to do it, but by mid-December I was glad I had. Otherwise, whomever hacked Gawker Media would have potentially had access to my accounts on Facebook, Twitter, Tumblr and a host of other social networking and blogging sites. My financial data would have been safe, as I kept a second password for all of that, but just imagine what could happen if that password had been compromised.
The secret to creating a secure password is to find one that satisfies three criteria: it needs to be strong, memorable and unique. Strength in this case is measured in terms of it's resistance to combinatory attacks; the less likely you are to have chosen a particular sequence of characters, the stronger it is. Memorability prevents you from needing to store passwords insecurely or request frequent resets. Uniqueness guarantees that when (not if) one site is compromised, others will remain secure.
The easiest way to choose a strong password is to choose a combination of upper- and lower-case letters that do not make up recognizable words, then throw in a bit of random punctuation and a few numbers. Of course, choosing a password by banging on keys would sacrifice memorability, and while you might be able to remember one arbitrary string of characters it would be impossible to keep your passwords unique for multiple sites.
The trick I used to balance the three competing goals was to use a pattern to generate passwords that were strong, memorable and unique. The method I use is based on a suggestion I read in this Lifehacker article, but if you really want to geek out you should read this post by Hans Anderson. I may eventually upgrade to a more complicated pattern, but for the moment anything is better than my previous two-password system.
As long as you're updating all your passwords anyway, might I suggest upgrading your password vault as well? Almost everyone saves passwords in their browsers these days, which is fine insofar as it goes. The assumption is that if your computer is lost or stolen, you'll need to change all your passwords anyway (and most likely all your financial data, maybe even your SSN just to be safe). However, once you find yourself storing them in your work computer, your girlfriend's computer, your laptop... well, obviously the risks multiply. While I was updating my passwords, I began storing them at a site called LastPass**. Having a secure online password vault would be useful enough, but its the browser plug-ins that really sold me. It's the closest thing I've found to single sign-on for the internet. If you're the sort of person that worries about rogue corporations selling your passwords to the highest bidder or whatever, I'm told that Keepass offers an open-source alternative, but I'm too cynical to follow politics these days so I'm more familiar with the one with the prettiest user interface.
So that's it, my whole secret to a more secure life. Use it when you sign up for new sites, spend an hour a night for a few weeks updating your existing passwords, go forth and sin no more. I know the whole thing seems like a pain in the ass now, but I bet you'll feel pretty stupid when all your Facebook friends start getting porn spam from you.***
* Actually, Franklin opposed trading liberty for "temporary safety", but then what other kind is there?
** Thanks for the recommendation if you're reading this, Adrienne ;)
*** Note that these suggestions do not necessarily apply to those who already use their Facebook account to send porn spam.
Monday, January 17, 2011
Subscribe to:
Posts (Atom)