A Better Password Strategy
Having a unique, rememberable password for everything.
By Michael Lang on February 27, 2014
If you're like me and you are online a lot, you probably have more website accounts than you can count from Facebook and Twitter all the way to your banking and blogging accounts. Today, I got an alarming email from my email provider saying that multiple attempts were made to log into my account from Argentina. Fortunately, my provider blocked the attempt, sent me an alert and I was able to act promptly! How did they do it? Well, over time, the major web services collect a lot of data on break in attempts and patterns of behavior and, whether you like it or not, know your general behavior, frequency, and geographical areas where you log in most. If you live in Georgia and then fly to California and attempt to log into a service like Facebook, Twitter, or Google, they know that's not your usual location and will email you with an alert so you can take action! If you travel frequently for work, they know that, too and won't bother you with this heuristic alarm. If you ever get such an alarm and if its not you, its best that you immediately log in and change your password on the account to prevent any further sabotage. If you used the same password and account anywhere else, its time to change every single one of those accounts urgently! The hackers aren't fooling around and neither should you!
Credential Theft vs. Identity Theft
Credential Theft is simply having your login credentials to a website or online service stolen and available to hackers to use in logging in as you. Identity Theft is much worse and that's when enough information about you is obtained to open a bank account or line of credit or credit card in your name and often involves a negative financial impact on your credit.
Credential Theft Will Happen!
The number one security weakness in almost every platform/service on the web is the user's password. We as human-beings like to keep things simple, so we, as a rule, use the same email and user name combined with the same, often short, simple, rememberable password, or something ridiculously easy to type and statistics show we overwhelmingly reuse these same credentials everywhere we can!
All it takes is for your computer to get a Trojan key-logger installed or one poorly implemented web service who stores your passwords in clear, plain-text fields in their database to get hacked and its off to the races with the hackers attempting to use same account and email and password combos to log into all the big banking, social media, and email services you probably visit!
If your primary email account is ever hacked, you're in heaps of trouble as the hackers will change your email password and then set about requesting password resets to your email account in order to get into those other accounts! Not a pretty thought by any stretch of the imagination. But the short of it is that you can quickly go from victim of credential theft to full-on identity theft in a matter of minutes and it will be under automated, scripted attacks, so you need to react fast whenever you know you're under attack. Fortunately, the big banks recognize this risk and build in extra layers of security, such as keying in pin numbers, displaying a memorable image above your password prompt, and so on. These measures also help ward against phishing attacks on your identity.
What's the Anti-Hacker Gameplan?
So how do you protect yourself while also keeping your life simple? There are hundreds of techniques ranging from using software packages known as password vaults or password safes to maintaining spreadsheets with all your account info saved in them and I plan to cover various techniques along the way that will help you lead a more secure, worry-free online life. For now, let me tell you about one of the easiest ways I can recall passwords to over 100 different websites and services without writing a single thing down, ever! Best of all, its FREE.
The Password Stem
First, come up with a completely random passphrase string that comes out to about eight characters in length: For example, Lets do the nine planets mnemonic "My Very Energetic (or Excellent, etc.) Mother Just Served Us Nine Pizzas" which reduces down to "mvemjsunp" when you take all the first letters. This is your root or base password from which to stem every other variation. All of your passwords will contain this stem.
Inject Capital, Numerical, and Symbol
Next, because websites have gotten more strict about requiring numerals, symbols, and even at least one capitalized letter, decide to convert one or more letters in the stem that never changes. In this case, lets capitalize E for Earth since we live on this world, and lets replace "unp" which looks like "uno" with "1" (that's numeral one) so our stem is now "mvEmjs1". Finally take it one step further and convert that "s" to "$" to inject a symbol and you have "mvEmj$1" which is good enough for nearly everything you will log into from ultra-secured bank accounts to lowly email.
Now for perhaps the hardest part of forming a unique password for every website you visit. And I say "hardest" only because this is often the most difficult part to be consistently repeatable in your mind's eye. I call this part of the password construct the "dynamic modifier" as it changes site by site, application by application. The trick to making this work is to decide on something you always notice about a website when you log in, whether its the name of the company, the words in the URL, or CEO of the company or any other attribute that's bound to be different on nearly every website you visit. Lets say first letter of each word in the website's URL. For this example, lets say first letter of each word of the website. for Coca-Cola, that would be "cc" For forbes.com, that would be "f". For Facebook, that could be either "f" or "fb" but you have to decide and play the reduction game consistently -- for me, I go by phonetics so if I hear 2 syllables, as with Facebook, I get "fb". Take this modifier and tack it onto your password stem so you form the completed password. Lets say, by prefixing -- Coke's becomes "ccmvEmj$1", Facebook becomes "fbmvEmj$1", Forbes becomes "fmvEmj$1".
Different Stems is Good!
Don't be afraid to have different stems. I personally have five stems and I select one based on the "how secure" I want to be. I keep my longest, most variegated stem for bank sites and my shortest (fastest to type) stem for social media sites. Other stems are for my personal computer's applications and for my work computer and apps. As complicated as that system may sound, its actually very easy and I guarantee you will be fully accustomed to this system after one to two weeks of consciously employing such a password strategy, especially if you get a lot of practice right off the bat by visiting every single website you access and make the password change to follow your new system. By the time a website can load up in my browser and present the login box, I have already mentally reconstructed the password and am ready to type! And the best thing about this approach is my passwords go with me wherever I go and are almost never the same for any two websites, which means I am at risk of getting hacked by only one account at most on any given system breach.