Passwords, and how to get better at them

Globe-DIY-231x300Recently, a friend of mine told me that her password had been stolen. A person got a hold of her password and had accessed her bank, email, and Apple accounts, as well as a few others with her personal information. She immediately took all the right steps; she changed her credit card numbers, informed the correct departments and talked to the right people. Afterwards, her biggest question was, “What can I do to stop this from happening again?”

One key to rule them all

What had happened to her, like so many other people, is that when one of her passwords was compromised it was used to access a slew of other accounts that used the exact password. Unlike people using simple or default passwords like “password” or “123456” (it’s far more common than you think), she had a strong, 14 character password that was virtually impossible to guess using a trial and error method. Her mistake was using this same password on multiple sites, something I am sure we all have fallen victim to at some point in our online lives.

Recent history has shown our weakness

Very recently there was an exploit discovered in a protocol that is used to encrypt our passwords every time we log into a site. Its name is ‘Heartbleed’ and to make a long story short, it makes it very easy to listen in on a vulnerable site and pull random pieces of information from it, some of which contain the full username and password of users. When it was found, approximately 66% of the Internet used this protocol, leaving an incredible number of people open to this random attack. Within days, the majority of the sites affected had patched or were in the process of patching their servers, but the bug had existed for nearly two years prior to this discovery, making it impossible to quantify the number of people affected or passwords compromised. Every site had one thing to say to their users, “Change your password.”

Passwords are the keys to everything

Think of all the physical keys you have in your life. There is your car key, house key, the key that gets you into work and probably an array of others to give you access to different areas of your life. They are each different, and while a big ring of keys may annoy us at times, it exists for a reason, to isolate the damage someone could do if they found one of them. This is the exact train of thought that must be extended to passwords; each one must be unique and is used to isolate the damage one can do if they get ahold of it.

What can be done?

One solution that has gained more and more coverage over the past year is a password manager. Essentially this is a piece of software that keeps track of your unique passwords and you just have a single master password to log into any site. While this does solve the problem of having unique passwords without having to remember all of them, it requires you to be at your computer or on a device that supports it. For me, I want to be able to log in to my Gmail from a friend’s house, or check my balance from any device, without having to rely on being near my password manager.

Finally, Password Freedom

I told my friend exactly what I do. “Choose a strong password that you can remember, then take the first three letters of each website and use them as either a prefix or suffix to your password, thus creating a unique password for each site you visit with a single password.”

For example, if your password is abc123**# and you are logging on to Gmail, the password becomes “GMAabc123**#”, while your Apple password becomes “APPabc123**#”.

This method has worked extremely well for me. It allows me to have a unique password for every website, without having to rely on a long list or being tethered to a password manager. It’s a small effort in the beginning to change every password over, but it keeps my information protected.

What methods do you employ to keep your accounts safe? Let us know in the comments section.


LEAVE A COMMENT


  • So you don’t want to be “tethered to a password manager”? 1Password will *untether* you, completely, on every device you own: OSX / Windows / iOS / Android. A keystroke in a browser logs you in. The built-in browser in the iOS / Android apps is excellent, and it has replaced every other browser on my phone and tablet for web tasks that require login. In fact, it has obviated most of the dedicated apps I used to use on the iPhone for banking, shopping, et al. 1Password changed my life, quite literally. There are others, and I have tried a few — none so far comes close to 1Password in elegance, efficiency, and functionality. If that’s being “tethered” then I do not think that word means what you think it means.




  • Many experts, including those like Bruce Schneier, *do not* recommend the method described in this blog. FWIW, I definitely don’t. If the a password is stolen from a weaker site, then guessing the password to another site is as simple as guessing the pre-appended code.

    Also, with hundreds of sites, pre or post appended codes will get out of hand very quickly. Further, when one needs to change the password, is it GMA or GMAI or GMAIL that is appended to the new one?

    For simple and bullet proof security without gimmicks like multiple passwords with the same root, stick with programs like LastPass or 1Password. They are secure, changing passwords after a hack like Heartbleed is simple and doesn’t require remembering the new changes, and they ARE available everywhere, even at friend’s houses (example: 1PasswordAnywhere).