Friday, May 30, 2014

How to Remember All the Passwords You're Resetting

If you're like most people, the news of the Heartbleed bug and how broadly its security flaw spread is worrisome enough. But the list of sites where you absolutely have to change your passwords looks daunting for anyone.

You probably have to change passwords on your email, your Facebook, and maybe even your online dating profile, not to mention potentially countless online shopping sites (depending upon the depth and breadth of your need to shop until you drop).

If you're like a lot of people, you probably think that you can come up with one indecipherable password, maybe one that isn't even a word, and then reuse it because no one will ever guess. But the Heartbleed bug, like the hacks of Kickstarter and some Yahoo emails earlier this year, should have you questioning that assumption.

In these attacks, hackers don't have to guess one password, or even try out a few easy ones (like the word "password," which you should always avoid), to get into one account. Instead, they go after a site's database of all users' logins and passwords and, no matter how strong you think yours is, they've got it.

It could be bad enough when you lose one password on one site or for one account - but, for instance, in the Kickstarter case, they reset all users' passwords right away and only two accounts were accessed. However, if you, full of hubris about your ingenious, unguessable password, used it on another site with another login name, then the people who snagged it the first time can get into your other accounts without even having to "guess" your unguessable password.

Create a System

So if you're in the midst of changing passwords, now's a good time to start a password system, rather than picking one new, universal password. Using this method, you can not only prevent most identity thieves from accessing more than one account if they do get your password, you can also make sure you remember what they all are.

1. Pick a meaningless combination of letters and numbers that you can remember. However, don't use a maiden name (and especially not your mother's), a child's name or a favored pet. Pick the name of a beloved (or un-beloved) cousin twice removed, the name of a song you loved as a kid, or even the nursery school your best friend attended. Make up an acronym for the first line of your favorite novel or movie quote.

2. Replace a letter or two with a number or symbol (like a 5 - or a $ -- instead of an "s," or a 3 instead of an "e").

3. Add a punctuation mark or two to the password at random.

4. Surround your random meaningful word with the name of the site for which it is the password, in a way that makes sense for you. If your word is "TGIF" (which it shouldn't be!), and your punctuation mark an exclamation point (not the best one to use), then your Facebook password might be "face!TG1Fbook" and your Amazon password might be "ama!TG1Fzon." For added security, you could also abbreviate the site names in some way that works for you.

5. Change your passwords regularly. If you shop online at various sites, or if you know that an account was compromised or you were victim of another form of offline identity theft, consider changing your passwords once a month. If your risk is more moderate, do it once a quarter. If you can't stomach either, do it once a year - but know that, for instance, the Heartbleed bug was operational for two years before it was brought to the developers' attention and fixed, which means a password you used in 2011 could still be operational in a hacker's hands today.

There are a lot of naysayers out there right now who claim you don't need to be so careful, that there's no evidence the bug was exploited by hackers and that, even if it was, the consequences are likely to be pretty minimal for most people. Don't listen to them, and don't give in to your own weariness with this sort of vigilance. At this point, the businesses who have your security in their hands aren't failsafe, the government is still debating how much they should have to tell you when their security fails, and hackers are bombarding businesses and individuals in an effort to make a quick buck. The only person who can even begin to protect you is you.

No comments:

Post a Comment