Web Passwords

So I was only reasonably good at managing my web passwords. Given What Happened to LinkedIn I spent the day making a few changes. As James Fallows said, The One Step You Must Take Today is "Make sure that any account that matters to you has its own password."

Here are some notes that might help some people and I welcome some comments.

The passwords to my hardware were all unique. That is my account on my computer and my home networks and my ISP. I've never used those passwords anywhere else.

Any online financial sites (and I haven't been doing online banking very long) have unique and strong passwords. I believe that I've only used them from home, so they haven't been stored on some public computer or gone over a public network (like at starbucks) and I always use an encrypted connection (the URL begins with "https"). That should prevent anyone from sniffing them over a connection. Yes, this means I've never accessed my bank account from my phone over a public wifi network. Using https should make that secure enough, but I've never done it.

My main social accounts (email, facebook, twitter) and a couple of other very heavily used accounts have unique strong passwords. In November James Fallows wrote about his wife's gmail getting hacked. Google's new 2-step verification is a good thing to setup. In addition to using a password, they text a number to your cell phone that you enter, so any thief would need not just your password but your physical phone as well (so don't lose your phone). I've been meaning to set that up for a few months now.

Unfortunately for a lot of other web accounts I used the same moderately strong password. I never wrote it down anywhere so I fooled myself thinking that helped a little bit. There are just too many sites to keep track of and I told myself that they didn't really contain much useful information if they were broken into. So I tried Evernote but never really used it so I didn't care if that was broken into. Unfortunately that's not the only problem. I wasn't always good at changing the password of a site that I started to use heavily and there's still the problem of if a site I didn't care about was broken, that password worked at many other sites, some of which I cared about.

So I spent today changing web passwords. Another reason I used the same password was I find it hard to create new ones and of course remember them. There are a few techniques for this, I used the following. I came up with a strong mix of characters that I memorized. There are no words and there are numbers and punctuation marks (and I didn't just change O to zero or I to one, that's too common). I combined it with a few characters from the URL to make the password unique for each site. Pick some standard rule like the last two characters before the .com are inserted at the beginning of the password or something like that. Then you just have to remember the one password and the rule. Don't just use the site's name as that's easy to guess, you just want enough to make it unique (one or two letters) but not enough to make it guessable. Update: Other good tricks include separating the letters you pick from the domain name in your fixed string, including the length of the domain name or say inserting a 1 as the fifth character if the domain name is alphabetically below M or a 5 if it's above.

For sites I use regularly I will use the Remember Me button that keeps a cookie in my browser so I don't have to login all the time. I obviously won't do that at another computer (but I rarely if ever use a computer other than my own). I also use the Keychain on the Mac to remember various web passwords. it keeps them stored in it's own encrypted database which is tied to my account password and Safari knows how to use it to enter passwords for me.

I have a couple of friends that swear by 1Password. This is a product that is similar to the Keychain. It securely stores the passwords and if you want other info like credit card numbers and makes it easy to enter in the browser. There are versions for iOS as well and they can share the data. It's easy if you use more than one computer. 1Password can also generate random passwords for sites, since it's going to remember them they can more complex. Still, while I'm sure I'm missing something wonderful about it, I don't see the need to spend $50+ for something that KeyChain basically does for me.

Another problem was remembering all the sites I wanted to change. I did an ok job at remembering the big ones but then I looked through KeyChain's list and found a bunch more. I also looked through apps on my iPhone and iPad and found more I remembered. I made a list so I could keep track of what I changed. I changed them all on the Mac, and then logged in again so they would be stored in KeyChain.

A few sites had rules that meant my password wasn't good. Netflix allows a max of 10 characters. The NY Times only supports three punctuation marks [._-]. The Financial Times only allows letters and numbers. Morons. I kept notes in my list about their rules (but not the password I used) and tried to do the logical thing with my password for their site. I also made sure the passwords were saved correctly in KeyChain (which encrypts them).

I entered the new passwords on apps on my mac that use these services like iTunes, IM and my twitter client and others. I then had to go through and relogin to many things on both my iPhone and iPad which was a bit of a pain. Some apparently tried to login and failed and prompted for the new password, others apparently stayed logged in. For some of those I tried to log out and back in though it wasn't always clear how to do that. While I think iOS apps are usually a better interface than a web page, it seems many don't let you do account management from the app and make you go to the web page.

It took most of the day to do all this. Most worked, though several sites had some issues and a couple are still broken (I can't login at all). Several sites send you email if you want to change your password to verify you are who you say you are (or at least have access to the account's email). Oddly I found gmail's spam filter mistakenly marked many of these as spam. So if you're waiting for them to arrive, check your spam filter. There are still a bunch of sites I haven't changed but I haven't logged into them in a long time and I don't really care about the stuff there :)