These days, we all have hundreds of online accounts—google, amazon, facebook, twitter, snapchat, pinterest, patreaon, reddit, linkedin, tumblr, tindr, grindr, fumblr, tossr, tittr, skweelr, goodreads, goodflix, qikpix, hotchix, and dikpix—the list goes on and on. And the one thing they all have in common, is that they all let you reset your password via email. What this means is that if anyone can crack your email password, they've pretty much got the lot.
Fortunately, a clever dick named Steve Gibson has invented an alternative login system called SQRL. I think it stands for "Secure Quick Reliable Login" and you can read about it on Wikipedia or Steve's website at grc.com (normally I'd be linking to this stuff, but on my current connection, web-pages are taking about 20min to load). Less fortunately, due to inertia and a lack of professional advocacy, it seems unlikely that anyone is actually going to adopt Steve's nifty little system. I guess we'll just have to wait and see.
In the meantime, here's a few things to think about:
Password Complexity
Nobody who is trying to get into your email account is typing in passwords by hand. To put it in simple terms, they're using special automatic-password-guessing software.
First of all, don't use a literal password—like …
| John | |
| or | Victoria |
| or | miscalculation |
… and don't think you're being clever by doing something like …
| jOHn | |
| or | V1ct0r1a |
| or | !miscalculation459 |
… you're not fooling anyone. Ideally, you should be using a string of completely random characters, such as …
Zpq3X9fJK0.l9MZ@-ynSLe74$
… but let's face it, you're not going to. In my opinion, the best practical solution is to use a passphrase—something like
| Holy shit, have you seen the arse on John? | |
| or | If Victoria says 'OMG LOL' again, I'll murder the bitch. |
| or | Trying to conduct three extra-marital affairs at once may have been a miscalculation. |
Obviously, you want to use something original and not a famous quote or book-passage or something; and the longer you can make it, without forgetting anything, the better. Oh, and this is just my personal experience—and it may not work for everyone—but over many years, I've found that the naughtier I make my pass-phrases, the easier they are to remember. Maybe I just never grew up.
Password Re-Use
If anyone cracks your password on any website, the first thing they're going to do is go and try that same username/email + password combination on every other website they can think of. Having said that, it's probably not realistic to expect that you're going to remember some long-arsed pass-phrase for every single website you ever visit—regardless of how filthy you make them. For that reason, you may have to do a bit of triage. Decide which sites you don't really give that much of a shit about, and re-use a pass-phrase only for those particular sites.
For obvious reasons, never re-use the pass-phrase you use for your email account.
Writing Passwords Down
This might seem counter-intuitive, but writing your pass-phrases on a piece of paper and putting it in your purse is probably a lot safer than having them in a secret file on your computer. In fact, it's probably a lot safer—generally—than what you think. This is especially true if you only write down your pass-phrases and not the websites they're associated with. Think about it—how many times in your life have you actually had your purse stolen? And what are the chances that some random purse-snatcher is also going to be a competent cyber-criminal? How likely is it that they're going to find …
I wish my alarm clock could wake me up every morning with a big dong.
Every year Rupert Murdoch looks more and more like a scrotum with eyes.
You reckon the Wiggles have ever played naked twister while on the piss?
… written on a bit of paper and assume it's a list of passwords? I'll bet it's a lot more likely that somebody who hacks into your computer and finds a file with that stuff written in it is going to put two and two together. Also, you don't have to worry about extra copies being made every time you do a backup—or, alternatively—losing it in a hard-drive crash. Plus, if something's in your purse, there's a better chance you're going to have it close at hand if you do ever really need it.
At the very least, if somebody does steal your purse, you're actually going to know about it—and that means you may have time to get online and change your passwords before the thief can get themselves sorted out.Security Questions
Security questions may seem like a good idea, but are they? "What was your mother's maiden name?" How long would it take someone to find that out? Are you sure you've never posted that information anywhere online? Are you sure that nobody who knows you has ever posted that information online? What questions couldn't somebody answer if they had enough time to do their research?
