[Update: XY reminded me that despite having a good password manager with a different password for each site/service, fundamentally the weakest link would be your master password. In other words, unless your master password is almost unbreakable, any password manager would be moot; in fact, it might be worse since hacking into the app yields access to all your other passwords.
In summary, have unique passwords for each site/service that you use. If it helps, use a password manager to manage them (hence saving you the trouble of memorizing multiple passwords); and since you technically remember less passwords, focus then on having a superbly powerful password for your master password — see cartoon below.]
XY started with a question about our online security within the context of passwords*, went on to describe an actual experience of being hacked (not him; his WoW clan mate) and ended with some suggestions on creating those pesky but important passwords**.
Here I’d finish up the trilogy by touching on something I use daily: password managers.
Password managers are apps that do several things but primarily they store your login information and hence passwords, and also generate passwords for you. How does it all work? Consider my usage.
I use an app called 1Password by AgileBits Inc. and as the name suggests, I only remember one password, which consists of over 10 alphanumerics and symbols (as a security measure and positive example, I shouldn’t expose the length of my password). This is the password I remember.
Every time I sign up a new service, say WordPress, I use the inbuilt password generator in 1Password (it installs itself into my browser — in this case Safari) to generate for me a totally random password to the maximum length allowed by the service. For example, if WordPress allows a maximum length of 25; I’d then generate a password of length 25. When that is done, I can choose to save the login information — both my userid/email and password — into the app.
When I visit the same service (in this example WordPress) again, I can then ask the app to fill in my login details (after I have unlocked it with my über powerful one password). This works for multiple logins too — for example you are logging into Gmail and you have three email addresses; the app can display for you to choose.
There’s another useful aspect of using password managers that are built into your browsers. You see, how the apps recognize that you might want to use your WordPress credentials on WordPress’s page is by storing the domain address (or simply, website address) along with your login information. When you are at WordPress, the app only show you your details for WordPress and not for another service like erm… Mickey and Friends.com (I’m kidding).
However, let’s say you did the setup and saving and now when you re-access WordPress, you notice that the app doesn’t recognize the site address. This can mean two things: First, the site address changed or you were accessing a part of the page which the app did not recognize, or second, you are under phishing attack.
Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. This is similar to Fishing, where the fisherman puts a bait at the hook, thus, pretending to be a genuine food for fish. But the hook inside it takes the complete fish out of the lake. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.
In short, you might have received an email from ‘WordPress’ asking you to reset your password and there’s a link in the email for you to click. That link however, does not lead to you the legit WordPress but rather a fake site that looks like the real deal, and when you fill in your login information, the evil people who built the fake site then have your information.
Password managers prevent this by not allowing you to fill in your details. As an aside, never click on links in emails where possible; if there is a need to reset password or something, go to the website yourself, typing in the legit address that you know.
Personally, I love my password manager, and use it to store not only my login credentials, but also some sensitive data, software licenses and credit card details. There’s Dropbox syncing and iOS apps too, so my data is always with me and in sync across devices, but accessible only with the master password. Well, not exactly. On my iPhone 1Password has to be accessed by a 4-digit password, and that only brings up the list of headings. To see the full information, I have to key in another password that can be different from my über powerful password.
So, technically I have to remember three passwords, but this translates to a different password for every service I use. The only downside is that whenever I have to log into a service on a device that isn’t mine, I’d have to refer to my phone; then again, I think it’s a inconvenience I’d gladly afford for added security.
If you need a password manager, I recommend trying out 1Password for 30 days. Actually, you can continue using it beyond expiry; there’s just this pesky pop-up which you can dismiss after a while. For me I actually paid for my Mac and iOS licenses (and it’s one of the first few apps I always install after reformatting) but not my Windows, since the minor inconvenience is not an issue given the little time I spend with the platform. You can check them out here.
Of course, if password managers are not your cup of tea, try creating some interesting and lengthy passwords using common words as shown below***:
*XY’s first post can be found here.
**XY’s second post about password creation can be found here.