Common sense on what a “strong” password is has changed a little bit. Chances are, you might think a strong password is:
- (at least) one upper-case letter
- (at least) one lower-case letter
- (at least) one symbol
- (at least) one number
And as a result, you’ve probably generated a password something like this: $ax0ph0n3 – Right?
Turns out, that may not be the best password after all. As computers (and computer programmers) got better at stringing together guesses at passwords – especially really important ones like the President’s email or a login to this blog – the time to guess a short, but total gibberish word got a lot shorter. XKCD’s Randall Munroe put it like this:
Add to this the fact that so many institutions make it ridiculously easy to guess at or use social engineering to find password hints, and there’s a huge problem brewing.
What do I mean by that? My bank gives the option to use the city of my High School as verification that they’re talking to me. LifeLock asked me a whole slew of “personally identifiable information” questions – including the year my first child was born. I don’t use those questions. If I did, anyone who was my Facebook friend would have that information. Worse still, someone claiming to be interviewing me for a job could call my friends or family, ask a few questions about my “background”, and then impersonate me. This happens more often than you’d think and it’s pretty tricky to avoid.
First, let’s get back to passwords. What do I recommend? LONG, easy-for-you-to-remember passwords. I wouldn’t go with four lowercase words (most systems don’t let you, anyway) – but something that uses existing conventions and is also long. The full name, price, and city, of your favorite meal for instance. Kinda easy to remember ChickenParmesan1499Denver right? Certainly easier than $ax0ph0n3.
Second, to avoid social engineering – never use any publicly-available information as verification if you can help it. I’ve had friends who used non sequiturs as answers (often hilarious, but also easy to remember) or create complete, alternate reality versions of themselves to answer those personal questions (also hilarious, harder to remember).
Third, wherever possible, use 2-step authentication. Facebook, Gmail, MailChimp, and other online apps allow you to use 2-step authentication (sometimes also called 2-stage authentication). Here’s how it works: first, you log in using your normal username/password combination, then a 6-digit code is sent to your cell phone via text message. You’re asked to enter that 6-digit code before you can log in for real – thus preventing anyone who isn’t in possession of your cell phone from logging in (for now).
It sounds like a massive pain in the butt (and it is), but it works well and is currently pretty secure.
What about you – how do you secure your online efforts? Did I miss something? Let me know in the comments!