Password Security and Digital Spring Cleaning

It’s not Spring yet, but it’s sunny outside.  With recent hacking attempts going on I’ve decided to tighten up my digital security. How am I doing this?

  1. Instead of using the same password for multiple websites, randomly generate passwords then store them in a password manager. This way, if one site gets hacked, attackers will not be able to use that login and password to access other sites.
  2. Delete accounts on websites I’m no longer using, or scramble the email, password, and all personal data so that all the information is fake. This is not recommended if you used that site for shopping, as saved invoices will still contain your real info.
  3. Activate two-factor authentication for important websites.

Step 1. Use a password manager. Is there a risk of putting all your passwords in one basket? Absolutely! There could be a keylogger on your computer (in which case it doesn’t matter anyway). Your password file might be lost to a hard drive crash — so you should probably backup the list to a cloud service of some sort.

Here are a few password managers I’ve personally used:

  • KeePass is 100% free and open source, though its usability and browser integration is not as good as the others. KeePass stores its data in a single file which can be backed up in any major cloud provider. It’s free so there is really no excuse.
  • If you use OS X, 1Password is an excellent tool. I previously used 1Password when I was in an Apple environment, however their Windows version doesn’t compare. Also, they only support DropBox as a cloud backup.
  • Safeincloud has excellent cross-platform support at a reasonable price. I previously used their Android app and it was well designed. However their browser integration on Windows wasn’t as good as 1Password and LastPass — both of which automatically detected changed passwords.
  • LastPass, which I currently use, syncs passwords onto their own server. You can also make local encrypted backups using their Pocket application. Their cross-platform compatibility is excellent, and they have a “Security Challenge” which advises you to change your duplicate and weak passwords. The downside? Many features require a Premium account at $12/year.

If you end up using an online service like LastPass or store your encrypted passwords on cloud services like Dropbox, OneDrive, or Google Drive, hackers could possibly go after those files. But they probably won’t succeed — because there are easier targets. Large companies who have a reputation to maintain spend more money on security and intrusion detection then that online forum you signed up for. Or that ebook you bought from somebody’s WordPress site that hasn’t been updated in over a year and is spitting out security errors (that actually happened.)

It’s much easier for hackers to go after a small site, and use the email logins and passwords to go after more important sites. So using your password manager, view your websites with duplicate passwords and generate new random passwords for them. These random passwords will generally be over 12 characters and have upper and lowercase letters, numbers, and symbols to minimize the success of brute-force attacks.

lastpass_dashboard

LastPass has an interesting “Security Challenge” feature which ranks your security and advises you to change all your weak passwords. These were my results when I first started, it’s much better now.

 

Step 2. Delete useless accounts. Remember that account you signed up for in 2005 for some crappy contest? No you don’t. You probably don’t even use it anymore. So delete it. Log in to that account, go to their account settings, and delete it.

What if you can’t? If there’s no way to delete the account, you can make the information useless. This is only recommended for sites that you haven’t put in personal information like address or credit cards — as generally those would have invoices and previous order data which can’t be deleted. To render an account useless:

  1. Change your name on that account to something completely random. Change your gender, birthdate, and any other information too.
  2. Change your password to something completely random (but put it in a temporary text file because you might need it for step 3).
  3. Change your email address to a temporary, disposable email such as:
    1. www.getairmail.com
    2. www.10minutemail.com
  4. Once you’ve successfully completed these steps, delete your temporary text file. You’re never logging into those sites again, because they have nothing useful there anyway.

Step 3. Safeguard important accounts using two-factor authentication. What’s the use of creating new passwords for all your websites, if someone gets into your email and resets your passwords? Therefore, you must protect your email accounts using two-factor authentication, which requires you to enter a generated code everytime you log on. This generated code is from an application you install on your mobile phone.

For more information on this, check the help section on your Google Gmail or Microsoft Outlook account (some other email providers which offer this as well.) Also check out what happens if you lose your phone — ensure you have a backup method for regaining access to your email. There are other services besides email which use two-factor authentication — generally financial sites — consider enabling those as well.

Depending on how many logins you have, it make take quite some time to update them all. You don’t have to do it all at once — a few websites a day will help your security over time.