Recently several high-profile people (Mark Zuckerberg, the NFL, etc) have seen their social media accounts hacked.
And who can forget the TeamViewer madness that’s going on right now.
Bottom line, we suck at passwords. But who can blame us? We need an account for everything these days. How can we possibly be expected to remember hundreds of unique passwords?
Instead, we reuse our passwords. Which get leaked. Which in turn lead to our accounts being compromised. Nasty business, really.
Use a Password Manager!
Enter our solution — use a password manager!
But that’s not all. It’s not enough to simple store your passwords in a password manager. You also need a strategy. Here’s a few steps that I myself am starting to follow.
Use Randomly Generated Passwords
Always use a new randomly generated password for each of your accounts. For my personal preference, I’m using at least 20 characters, with upper and lower case letters, numbers, and special characters. Any password manager should include a built-in feature that generates random passwords. You’re certainly welcome to generate your own random password, although remember that humans are usually more predictable than we’d like to admit.
If Possible, Use a Randomly Generated User Name
For accounts where you get to choose your user name, make it randomly generated too. I’ve done this for a few accounts, forgoing the special characters. While this isn’t necessary, it could make it much harder to connect your details from other password breaches (although that won’t matter with your randomly generated passwords, right?)
Use Nonsensical Answers to KBA
KBA stands for knowledge based authentication. You know, those questions like “What was your high school mascot?” and “What was the first name of your prom date?”. Generally, we answer those questions truthfully (and even then, I’m often paranoid that later on I won’t remember the answers). Lately I’ve started changing these to completely nonsensical answers (I’ve been using the diceware list and coming up with a string of random words to use as my answers). This will make it near impossible for someone to use the “forgot my password” feature, even if they’ve done your research on you and found out just who it was that you took to prom all those years ago.
Obviously, you’ll want to save these nonsensical answers, otherwise you’ll have a hell of a time recovering your own account later. The password manager I use allows me to add fields to an entry, which I’ve done to save these details.
Disable Browser Saved Passwords
Web browsers have offered to save our passwords for a few years now. And it’s very handy! All we need to do is visit our favorite website, and our details are pre-filled, all we need to do is click the login button!
This presents all sorts of issues. If someone gets physical access to your computer, you’re SOL. But as people affected by the TeamViewer hacks have discovered, it’s not just physical access that can spell your doom.
So get rid of that saved data, and disable the feature in your browser settings.
My Password Manager of Choice
Personally, I’m using Enpass these days. It’s completely free on the desktop, and it’s a one time $10 charge for mobile apps. Not to mention, it’s available on just about every platform. It has several handy features, such as password strength auditing and password aging.
Ultimately, whatever tool you use, it’s important to remember that nothing is perfect. Using a password manager is risky because all of your details are in one place — a veritable treasure trove of damning information. Keep this in mind when creating your master password, as this is the one bit of information keeping others from gaining access to your accounts.