Easier said than done is one of those expressions that applies nicely to managing your online account passwords.
The rules are, as said, rather simple:
1. Use a complex password.
2. Do not reuse your password for multiple sites or services.
A password like “pqu9ijLrFcDvmiphXRGo” is super-secure, but it’s pretty damn hard to remember too. Let alone using a different complex password on every site you use.
But unfortunately, it’s pretty damn necessary if you look at the recent Dropbox account “hack” for example, which was possible because a password was reused from another hacked site.
LinkedIn, Gamigo, eHarmony, Last.fm, Sony, WordPress, and just this week Blizzard. They all got hacked at some point and all of them requested their users to change their password asap.
If you where on any of these sites and you have reused your password at other places… well, you should change those too.
When all your passwords are following a recognizable pattern, well… hackers can figure that out too. Even if only the hashed value of your password was dumped online on pastebin for example, any password can be found given enough computing time.
If you are using dictionary words in your password, you’d be surprised how little time it actually takes. Oh and those smart tricks like replacing some letters with numbers? Modern hacking tools like John The Ripper know those as well.
How do we go about those 2 golden rules then? Well, how about letting the computer do the remembering for us? They’re good at that kind of stuff!
Here’s how you can do that:
1. Use KeePass Password Safe to store & manage all your passwords (download here).
2. Have it generate a unique & random password for every site/account you sign up for.
3. Create a good, complex, yet easy to remember master password to protect the KeePass database.
4. Synchronize the KeePass DB with all your devices using something like DropBox’s cloud storage.
Now you don’t have to remember any of those passwords, except that one very important one. Thanks to the sync you can reach your KeePass database from all your machines & devices (Windows, Mac, Linux & Android at least for DropBox).
There are a few exceptions where I picked my own password instead of an auto-generated one. Again it’s something easy to remember, yet hard to guess or crack. I do that for my Google account for example, so I can use that from anywhere without needing access to my KeePass DB. Just to be on the safe side that one has two-step verification on it as well.
Few accounts deserve this exceptional privilege however, so I use it sparingly.