Password management for normal people

Photograph of the paining The Scream by Edvard Munch

What if your email got hacked? Here is what happened recently to Mat Honan:

In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

The hackers erased all Mat’s digital photos and home videos of his young daughter, and his online backup of them. (The good news: after a lot of effort and money, he managed to get them back. Most of us would not have been able to do that.)

Your email account is a gateway to the rest of your digital life. Those ‘email me a new password‘ links on most websites are pretty darn useful when you have forgotten your password for Paypal; but not so good if the bad guys are in your email and intercepting those handy-dandy password reminders.

The typical person reading this blog uses about 30 different websites, but I bet you only use two or three different passwords (if that).  So once the bad guys get your password to one website, there is a good chance that the same password will also work somewhere else. LinkedIn recently confirmed that hackers had got hold of a database of 6.5 million passwords: armed with those usernames and passwords, the bad guys will have been able to get into a lot of other, more important websites such your office system or online banking.

What’s more, the bad guys are getting quite good at cracking passwords.  Those clever things you do to make a password hard to guess – like replacing an “E” with a ”3” – they know those tricks too. (Breaking news: some burglars also know that some people leave on their lights at home when they are out.)  Tricks like this are mainly useful if you are the only person who knows them.

So what you can you do?

If you have a Google mail account, you should set up your account recovery options to include your mobile phone number. This won’t make it harder for someone to hack into your account, but it does increase the chance that you will be able to get control back if they do. This is a no brainer. Do it now.

Now make a resolution to use different passwords for different purposes.  I am not saying you have to use a different password for every website: nobody is going to remember 30 different strong passwords. I don’t think it is a problem to use the same password for LinkedIn and Facebook.  But you should reserve unique passwords for your email and for online banking, and then use some different passwords for everything else.

One way to handle multiple strong passwords is to use a password manager such as LastPass – this is free software which works automatically with your web-browser and (in the $12 a year version) your mobile phone.  It sets and stores a strong password for every website, and you just have to remember the master password for LastPass.  This enables you to have a separate, complicated password for every website, and you won’t have to remember any of them.

Two factor authentication

An even better way to keep out the bad guys is to have a second hurdle, in the form of two-factor authentication. The principle is simple.  Getting in to a website requires something you know (your username and password) and something you have (such as your cellphone or a dongle).  Bad guys may crack or steal your password but they still will not be able to get in unless they also have your phone. You may already use something like this for online banking or for accessing your office network.

The only major webmail service to allow you to use two-step authentication is Google mail. If you have a Gmail account, you should seriously consider turning it on to keep your mail safe. When you log in to your account from any new computer, and every 30 days after that, you will need to enter a verification code which you receive as a text message on your mobile phone.  So even if a hacker has your username and password, he or she will also need your mobile phone or your computer to get in to your mail. Setting up two factor authentication on Gmail is a little involved, especially if you access your Google account from many different devices. But the hassle is worth it if you want to keep your mail account secure.

If it makes you nervous to store all your important passwords in LastPass, because your master password could be compromised, you may like to know that you can also turn on two-factor authentication in LastPass.  (A hacker would need access to your mail to turn it off again, which is why you should keep your email password secure. You get the picture.)

Hey, you! Get off of my cloud

Storing everything in the cloud is fantastically convenient, and it provides a backup if you lose your computer or phone. But if all your personal data is in the cloud, you need to take some simple steps to keep it safe.  Here is a checklist:

5 thoughts on “Password management for normal people”

  1. I shouldn’t really tell you about my cunning system (as that would obviously defeat the point of it!)..

    But a good way is avoiding memorising things altogether, and having a system which means you can always work out the password, even if you can’t remember it yourself.  So, using something as a reference point that is always available online, has lots of different parts which don’t ever change (and can each for the basis for a password) – and then having some kind of logical formula between the different parts and the account you are trying to access.  That way you can run through your formula every time, have as many different passwords as you have accounts, and never need to remember anything.    


    1. @Amy – Thanks. Yes, you are right, it is possible to have a system so that each password is different and you only have to remember the system, not the passwords.

      There is however a potential drawback with this, which is discussed in the excellent Dan Goodin article in ArsTechnica. The crackers are getting increasingly sophisticated at cracking not only passwords but algorithms.

      For example: if they can see that your Linkedin password is ‘Amy@Linkedin’ then their computer is going to have a pretty good idea about what your Facebook password might be. So the formula you use has to be such that you cannot guess the formula from any particular password that it produces.


  2. Mmm, good point.
    Hopefully it should be ok if by formula you mean a sort of logic that requires your specific human creativity and personal-ness to ‘run’ it.

    God I’m totally waving a red-rag to the hackers now aren’t I… 

  3. OK.  First off, let’s assume, in spite of this blogger’s helpful advice, our accounts are hacked.  After all, if Sony, Apple, the Pentagon, etc can be hacked, so can we be.  The question then becomes: What do we really really want to keep?  In Mat’s case it was photos.  True for me also but I have a cunning plan – wait for it – I print the ones I really really like and put them in an album.  Some I put in an online album which some clever people organise for me and send me a nicely printed copy through the post (before you ask, I still receive loads of snail mail everyday).  Then here’s the really clever bit.  When I’ve uploaded my photos I don’t wipe the SD card but keep it as the ultimate backup. I know that’s expensive but I first delete duplicates, poor shots, etc.  Anyway, SD cards are becoming cheaper, have greater capacity and are faster year by year.  Probably a variant of Moore’s Law.  How often do I look at these photos?  Pass . . . but I like to know they are still there and I look at the best ones which are on my fridge door stuck by a magnet.  Next up, what docs must I keep?  Not a lot, really, my Will, Tax Return, Mortgage Agreement, etc.  Oddly enough most of these come in paper form (it appears that most lawyers are paper addicts because they like one’s signature on the doc).  Also, as these docs involve another party, the other party has a copy.  What else?  Not a lot but it would just be mega annoying to lose them.  Next cunning plan.  I backup additionally with another disk which I give to a friend a few streets away and then update once a month (I use WD, if advertising is allowed on the website). [Memo to self: I must keep these SD disks and paper docs safe by investing in a fireproof, bomb proof, burglar proof safe in case my house burns down, my city is nuked or my doberman pinscher is asleep by my fire.]

    I read the stuff about the Crack Me If You Can contest and all the money spent on winning it.  Just think, if all that money and all that brainpower had been devoted to alleviating poverty, finding cures for (especially third world) diseases, dealing with famine . . . . . no don’t go there or you’ll end up with a mega depression.

  4. I also have a cunning plan – I keep myself 5 (or more like 10) years behind on technology. With no smartphone, IPad, clouds, etc. the things that be hacked into are reduced. Uni passwords change every three months anyway. I do banking in a real bank. I own one laptop and no credit card.
    This clever, agile solution also means less time staring at a screen of some form or other. And, I can still navigate around a city, because I have no access to a device when out and about so have the neural pathways that have atrophied in the smartphone generation. I can also write using a pen. And, despite this brief entry (I try to restrict such things to half an hour a day), can write coherently for more than 200 words at a time before losing interest. Unlike many of my students. 
    Really, we are victims of technology and of companies like Apple. We con ourselves into thinking that talking to people is somehow outmoded.

Leave a Reply

Your email address will not be published. Required fields are marked *