11 February 2013

Password Strategy for Online Accounts

Following the incident where several Linked-In Account Passwords where compromised, I found myself in the need of a new password strategy.

Old Password Strategy

Keeping track of your on-line accounts can be a hassle, many use the same passwords for several on-line services. In many years my approach was to have a 3 level password model where i had

  1. a unique password for my e-mail and 
  2. a secondary password for on-line services that I used a lot (Facebook, twitter, linked in) and 
  3. yet another password for meaningless services where i basically just needed access and an exploit would mean nothing. 

And of course a totally different password for internet banking.

But following the hacking of Linked-in mid 2012 I found myself required to change my secondary level password. In an ever expanding world of on-line accounts this proved to be quite a challenge to recollecting all accounts where a secondary level had been used. This approach also meant that changing the secondary password was a job that took a long amount of time and work, the result was that this password had not been changed since 2009 an prior to that in 2006, any security breach in secondary level website accounts would expose my on-line identity. And apparently even the larger providers do get hacked... (duh)

I have never been a believer of password savers since these are programs that require being installed and maintained, and most likely not available when you need them. This made me look into a different approach for account password management.

During a discussion a non internet savvy friend confessed to me that they actually never remembered a single password, they would always request a new one. The introduction of smartphone and always connected devices meant they would always be able to access there e-mail.

New Password Strategy

The use of a unique password for each account is the only way to keep you safe from identity hacking with passwords from other services. I found the concept so simple, obvious and yet so inspiring!  I could not wait for remember services to send so I tweaked one step.

I have now set all passwords to all my accounts to unique token passwords generated by services like https://www.random.org/passwords/ and since you will always be cut and pasting the password be generous and take 16 chars with a direct link. When I register to a service I send myself an e-mail with a specific subject "xxxx.com Account Password" so that I can easily search the password from e.g. my smartphone when I require it. Using gmail this search is instant. This approach means that the only exposed touch point for all my accounts is my e-mail.

Almost all internet users know that they should have a unique password for each service, yet many of us do not enforce the practice, especially the digital non-natives. This must be related to the workflow. The described model helped me get a workflow that enforces full security around my internet identity and I hope by sharing this "aha!" moment that you and the people you care about can have a safer on-line identity.

Spread the word.

No comments: