Until a few months ago, my Flickr account was still using the same 6-letter password that Yahoo automatically assigned to me in the late 1990s. Most of my other accounts were using a variation of this password, with a dumb algorithm that used pieces of the site’s URL with some numbers attached. None of this was good.
After Mat Honan’s terrible hacking fiasco this past summer, I realized that, yeah, this could happen to me too and I should just take care of locking everything down the best I can. Here’s the current state of how I’m staying safe online.
The first major improvement I made is that I started using a password manager, going with LastPass. I’ve used a Linux laptop at home forever and use Macs at work and have an iPhone so I needed something that worked on these different systems. LastPass has an iPhone app, a Chrome plugin, and a nifty website so this worked for me. Quite a few of my friends use 1Password, which works on the same principle of storing passwords in an strongly encrypted file. The main difference is that LastPass stores this encrypted file for you whereas 1Password requires you to take care of transporting, protecting, and syncing this file.
After using a password manager for a few months, there’s no way I could go back to remembering a hundred or so slightly different passwords and often having to reset them due to forgetfulness.
I then started making the effort that every time I hit a site that hadn’t been added to my LastPass account, I would change the password to a new, machine-generated password. I also started storing fake answers to security questions alongside each password in a special notes field the manager provides. Now every site I log into has a long, hard-to-crack, and unique password with security questions that no one could answer.
My current goal is to know only the password to my password manager with all the others locked away. The downside to this is all my passwords are protected by just one password which is a weak spot as passwords can be logged, guessed, or brute forced. Luckily, LastPass offers two-factor authentication which means that people would need both the password and my phone that runs the Google Authenticator app.
The tricky thing
Using two-factor authentication is incredibly secure but the tricky part to consider is what happens when I can’t access my phone, like in the case of the battery being dead, or stolen or lost in the worst case. Most services that offer two-factor authentication also give you the option to set up ahead of time a short list of one-time passwords. These should be generated and stored where you always have access to them. I store these in two spots: in my wallet and a symmetrically-encrypted file on my personal server for redundancy.
Security and convenience sit on opposite ends of a spectrum. While it takes a little effort to set up, it makes your accounts much more secure from data leaks and hacking attempts and not having to remember multiple, insecure passwords is a burden one should be happy to be relieved of.
