I’ve been asked about password security quite a bit over the past year, and it’s probabaly a good thing – I am interpreting it as an indicator that folks are talking their online/computing security more seriously. This topic has even made it to the mainstream media, so it is most certainly on the radar of many people.
Now, I am not a computer security expert; but I do know a few things about computers, so I’ll try to provide some information here in an accessible manner. There are several things you need to keep in mind, and I’ll link some resources in this post so you can do some more reading. There are conflicting opinions on this topic, so you’ll need to do your own homework. But regarding those items to keep in mind:
The Problem: Changing your password frequently won’t really accomplish anything. The Microsoft study from 2009 made that fairly clear, and it has been corroborated by other research elsewhere. Essentially, the process results in significant loss of productivity for virtually no improved security. Why do organizations still force us to change our passwords? Largely because it was a valid deterrent about 10 years ago – policy just hasn’t kept pace with the technology and research. And, as security researcher Dr. Markus Jakobsson mentions in this article, those security questions aren’t helping very much either…
So what can you do to actually protect yourself? A lot of folks are familiar with Matt Honan’s (Wired Magazine) plight. His articles from last year laid out the kind of problems most users might encounter. The first article laid out his crisis and efforts to track down the problem; and his later article does a nice job of identifying things to do/not do to protect yourself online. If you are someone who has just a handful of accounts, you can probably get by with just a few different passwords. If, like me, you have dozens of accounts – this becomes unwieldy. Here’s how you protect yourself:
1) Enable two-factor authentication whenever possible. At the very least, do this for your primary email service.
2) Use a unique email account (with two-factor authentication) for password resets. Not having this is the easiest way to let a hacker hijack other existing accounts.
3) Try to reduce the amount of your information that is publicly available online. If your info is on Spokeo it’s in dozens of databases and available to everyone, everywhere. You can get your info removed from many of these datasets. You are not going to win this fight – but reducing it makes you less of an easy target.
4) Don’t re-use passwords for important accounts, or any account that retains sensitive information. This will be increasingly difficult as you collect more and more accounts. Make your passwords long and complex – just make sure you can remember them. Eventually, you may need a database to keep track of them. Don’t laugh – I have one.
In the end, if someone really wants to hack your accounts, they are likely going to be able to do it. However, they are also likely to go after the ones that are easy to crack. So, following this advice is like putting a deadbolt on the door to your home: If someone really wants to break in they will; but the more difficult you make it for them, the more likely they will just move on to another house…