Chances are you’ve been told time and time again that there are a couple of rules of thumb for generating a strong password for any of your accounts:
- Don’t use any words found in the dictionary
- Don’t use personal information (i.e. Your birthday, your pet’s name)
- The longer the password the better
These suggestions hold true, but thanks to the recent Gawker password compromise a lesser known rule of thumb has gained attention:
- Don’t use the same password for all your accounts
First, a little background in case you don’t follow security goings on: Gawker, a blog network which includes Gizmodo, Lifehacker and others, recently had their servers compromised. Hackers gained access to all the emails and passwords of registered Gawker network commenters. The passwords were encrypted (i.e. stored in such a way that one can’t simply read the password without a lot of effort), sadly the encryption method used was out of date and fairly easy to “crack” (or decode). The hackers managed to decrypt a number of passwords, and given enough time they will be able to decrypt all of the passwords in the file.
Obviously, this is a black eye for the Gawker organization but it could also spell bad news for those folks whose password is included in that file. By this time you should have received an email from Gawker if your email address was included in the file, but just to be sure you can search the file for your email address here.
I’m on that list, what now?
First off, change your Gawker password. If you use that same password for more than one account then you should change your passwords on any account which uses the compromised password. You should also consider toughening up your passwords.
Hardening your passwords
Security professionals, like myself, would love it if people created unique and complex passwords for each of their accounts. That’s the ideal, but we live in the real world where the ideal and the practical hardly ever meet. There are some ways to “harden” your password security though:
- Group your accounts together, like with like. Financials accounts each get unique, complex passwords and lesser accounts (like blog commenting accounts) use a different (complex) password.
- Use a password manager (see the section below).
I have a horrible memory, and yet just yesterday I created an ecommerce site account with a password 50 characters long. Am I crazy? Slightly, however, I don’t need to remember that super long password (nor did I need to come up with it myself) thanks to my password manager.
A password manager is an application that securely generates and stores passwords for you; allowing you to create unique, complex, and strong passwords for all your accounts. Some of these apps will even detect that you’re on a Web site on which you have an account and log you in… neat, huh?
The benefits of using a password manager are pretty clear:
- Complex password generation and storage in a secure manner
- No need to remember all those wacky passwords
- Many of these applications will also store your credit card information for you, so you can fill in order forms and the like with a single click instead of manually filling them out.
Sounds great, doesn’t it? The only downside to using a password manager comes when you’re on a computer that doesn’t have the password manager installed and you need to log into an account with one of your crazy long passwords. I was a little nervous about this situation myself, but I’ve been using a password manager for a couple years and only encountered this situation a few times.
There are a plethora of password management applications and services out there, so a little research to find out which one works best for you is required. That being said I can point you to the applications that the security team here at Wharton use:
1Password costs $39.95 and it is well worth every cent.
Password Safe is free.
Finally, LastPass is a browser extension which keeps track of your passwords for you. I haven’t actually used LastPass myself, but this LifeHacker article outlines how you can use it to audit and secure your passwords.
LastPass has a basic account that is free, and a premium version with costs $1 a month.