The other day I had a fit of long-overdue reorganizing. Moving to a new office space will do that to you, I guess, but it's a good opportunity to review, reassess and purge. In doing so I came across an old list that I had given to my wife just prior to a transatlantic trip; I figured that in today's world you never know what craziness might ensue so better to err on the side of caution. Some people use the same password for every website (a very bad idea) and others use a different one that they make up and have to remember for each site (a better idea but too difficult to remember them all).
In the past I took the same approach that a lot of people do: I used a formula for creating passwords. The long-overlooked list contained my password "formulas" for all different types of websites.
Let's rewind here for a moment and answer the question, "What do I mean by a 'formula'"? because you might be doing this already and just not have recognized it as such. Simply put, I used passwords for each type of website that adhered to a pattern that could easily be deciphered if you knew the key… and I protected the key with great care. This was before browsers like Safari (my personal choice for a variety of reasons, but I know others prefer Chrome, Firefox or others - this same advice applies to all of them) made it easy, consistent, sync-able and practical to generate a random and impossible-to-guess password with a click. And also before great password manager apps like 1Password, Dashlane, LastPass and OneSafe were reliable enough to both generate random passwords and store them in a secure location.
[ RELATED: How to evaluate password managers ]
All of the passwords, regardless of the formula applied to it, started with the "SecretKeyword." My formula was:
- Websites where I didn't care much about security: SecretKeyword
- Websites that required some level of security because getting hacked would be a nuisance: SecretKeyword+SecretCode
- Websites that required serious security: SecretKeyword+SecretCode+SecretAdditionalSymbols
- Websites that required the ultimate level of security (financial services, personal health records, etc.): SecretKeyword+SecretCode+SecretSymbols+SuperSecretCode
It made it easy - or at least easier - to determine what password to use where. There were a variety of problems with this method, though, as you can probably guess. The first one is that it was subjective; it required a judgment as to what kind of security I wanted to employ on that site and, if someone else needed to access it, they'd have to know how I was thinking. Secondly, it used some passwords repetitively, which is never a good idea. Finally, you would still need to know the SecretKeyword, SecretCode, SecretAdditionalSymbols and SuperSecretCode to make it all work.
In short, for a guy who has been involved in - and advocating - strong cybersecurity measures, I had created a mess and needed to fix it. And in doing so I had to strike the age-old balance between security and convenience because, as any security pro will tell you, in the battle between security and convenience, convenience always wins. People just don't want to make the effort to be secure unless it is also convenient.
Now all of my passwords are randomly generated by either a browser or password management app. They are impossible to guess and whenever it's available I use two-factor authentication (2FA) to add another layer of security. Call me paranoid but I'd rather bear with the occasional nuisance of multiple passwords and two-factor authentication than the life-changing cataclysm of getting hacked. I've been on the wrong side of that and once you realize you've been hacked or had your identity stolen I assure you that you'd pay a king's ransom to make it all go away… but no amount of payment can rewind the clock. Securing your digital life with strong, random passwords and using two-factor authentication is cheap insurance. I hope you never find out but trust me on this, as the saying goes, you don't want to know.
Once I started using these super-secure, randomly generated passwords I realized something else: If something were to happen to me that would make me unable to access these websites myself how would I guide someone else to do it? In plain English… if I died or became incapacitated how would my wife or friends deal with the digital waterfall of information that was inaccessible to them? How would they know all of the passwords or be able to access them?
[ ALSO ON CSO: Top password managers compared ]
Ultimately I had to distill this to the essential components and found that it actually came down to giving people only three passwords for them to be able to handle anything in the event of the worst happening:
- My computer password. I use the built-in function on my Mac called "FileVault" that encrypts my hard drive. When the computer boots up the or someone simply sits down at my desk while it's on they can't do a thing unless they have that password. My computer and the hard drive - even if removed from the computer - are 100% useless without this password. There's a Windows equivalent called "Bitlocker" that has some limitations but it's better than nothing so regardless of which platform you're using I implore you to turn this encryption on. If you don't turn it on and you leave your laptop at airport security (TSA says people leave 500,000 laptops per year there!) or someone walks off with it you're toast. Seriously burnt toast. I use this top-level disk encryption process because once someone can get into my computer they can then get to the other functions for which that they'll need passwords.
- My password manager password. These are the keys to the kingdom as the password manager contains an assiduously-curated list of my login IDs, passwords, confidential info like passport and driver's license info, etc. I use a very secure password for this application because a.) I don't access it very often so it's not that much of a nuisance and b.) once somebody has this info they don't need my computer to hack my life.
- Finally, my email password. Like most people I have a few email accounts and one of them is Gmail, which I use as my registration address for websites and so it is where password reset emails will be sent (Outlook, Hotmail and many others are suitable for this purpose, too). If someone needs to access the secured websites that I use and can't get into my computer or my password manager they can go to any computer and using any browser can simply use the "Reset Password" function. They'll need my email address, of course, for the password reset link to be sent. Then when it is sent they'll need the password to my email account to access the reset link. In the worst of situations if they can't get to anything else this is a great way to provide people with access and protect yourself at the same time.
I also protect my email account with two-factor authentication so I'll throw in one more password here that you'll need to be sure that someone else has: your phone's four-digit code. And, by the way, if you're not using a code of some kind (alphanumeric would be even better than a four- or six-digit code) to lock your phone, you're just being lazy and exhibiting some pretty risky behavior. No kidding. No offense intended but that's just dumb. Phones get lost all the time and, let's face it, your life is on that phone. Setup a lock code right this minute. I'll wait.
OK - you've now protected your phone, protected your computer and protected your friends and family from the pain of having to deal with the aftermath of something terrible. Remember… if they need to use this information they'll be suffering from much worse pain than not being able to access your accounts. Don't add potential hacks and problems to their woes.