Like me, you probably have login accounts all over the place. You can bet there are always hackers out there trying to get into those accounts. Yes, it happens, and anybody with a Playstation Network account has learned this the hard way.
Here are some techniques I use to keep my accounts secure while saving my brain from password overload.
Passphrases vs. Passwords
If the service allows you to have a long password, make your password a full sentence instead of a garbled combination of characters. The longer your password, the harder it is to crack by brute force methods. Phrases are also easier to remember, naturally.
This is an obvious one: do not use the same password for everything. If one account is compromised, all accounts are compromised, so use a unique password for each. Your brain may be a marvel of biology but it still doesn’t want to remember a hundred different passwords. Fortunately you can overcome your pathetic brain’s weakness by only making a small part of the password unique.
My method is to combine a common pass phrase with the name of the service (or some other unique identifier based on the specific service).
Example: “Facebook is a correct horse battery staple” for Facebook and “Google is a correct horse battery staple” for Google, and so on.
I only have to memorize the common passphrase portion, as the unique part can be inferred whenever I use it. You can also mix it up with multiple common phrases for different tiers of services (finance, websites, email, etc.).
Update (see comments): The above is just an example, and you should make it less obvious, as long as it’s still easy for you to infer without having to rely on memorization.
Another approach is to use a password manager. I use KeePass, because it’s open-source and multi-platform. 1Password and LastPass are also popular but I haven’t tried them. Before I started using the passphrase scheme above I used generated passwords from KeePass for really sensitive accounts (i.e. banks). But having to go through the password manager for each login was very inconvenient.
I do still find KeePass useful for storing other info like bank account numbers, license keys, and so on. KeePass is not cloud-based, it stores everything in a strongly encrypted file. I keep this file on DropBox so I can access it virtually anywhere, including on my phone using the Android client. It has saved me many times when I was at some service counter and asked for an account # and did not have the card on me. Carrying cards is so 20th century and I look forward to the day when my wallet can be fully replaced by my phone.
Google accounts now support two-step verification and if you use GMail you would be wise to enable this feature. It adds a second step to the login process, requiring you to enter a verification code that you get from an app on your phone (or via SMS). This makes it nearly impossible for anyone to access your account even if they crack your password.
This does add a little bit of inconvenience, but it’s worth it for making your account significantly more hack-proof. Facebook also offers two-step authentication, using SMS only at the moment.
Avoid using public wifi networks. It is extremely easy to steal login info from users on open wifi networks. If you have access to a VPN, use that whenever you are on an open network. If you have a smartphone with 3G data connection, tether your computer to your phone’s connection instead.
If the service you are using has the option, enable “Always use HTTPS”. Gmail, Facebook and Twitter all have this. Even though SSL may not be completely safe, it’s much better than no encryption at all.
What, me worry?
Maybe you don’t worry much about getting hacked, but just because you’re not paranoid doesn’t mean they’re not out to get you. I’m not particularly paranoid, and for a long time I used the same few passwords everywhere for years and thought “why bother?”. But if you can gain a lot of security with very little effort then “why not?” is the more appropriate question.
Next time you login somewhere, take a few seconds to go change your password to something more secure and easier to remember. After a while you will have fortified all your frequently used accounts and made life easier for your brain. Eventually it becomes a natural part of your online habits and you won’t even think twice about it.
I must give credit to Lifehacker for introducing me to many of these tips over the years. This should tide us over until we all have bio-metric ID implants.