It seems like everyday, I read about yet another security breach of yet another online database, with Ebay being the latest in a long line of hacked databases. When Dick Eastman wrote a plus article on passwords yesterday, I felt compelled to weigh in on the subject, having done a lot of thinking about online passwords over the last few months.
Do most passwords even matter?
It seems that no matter what I do online these days, I’m asked to create an account with a password, whether I’m subscribing to a newsletter or downloading a free ebook. If someone was to hack my password for one of these websites, what exactly do I personally stand to lose?
Nothing. Zero. Nada.
For these types of accounts, I use a generic, easy to remember password. Because it just doesn’t matter. And I use the same password everywhere, all the time. It saves space in my brain’s limited amount of long term memory so I can remember the more important things.
When it comes to setting a password for things that really do matter, like online access to my bank account or the credentials for my home router, I construct a strong, unique password from a phrase that is easy to remember that is somehow relevant to the thing that the password is for. I don’t record it electronically anywhere although I do make a cryptic note for myself in a password notebook that I keep hidden in a secure place. The ‘cryptic note’ would mean less than nothing to anyone else who found my notebook because they would not have the key to the note – that is only stored in my own memory.
So for example, (and sorry hackers, but this is really is just an example), for a password for access to American Express online website (I don’t even have an Amex card) I might come up with the phrase “Penny wise and pound foolish” which I could convert to something such as “P3w1&P0f0”. In this case, I’ve used the first two letters of each word in the phrase, substituting numbers for some letters, capitalizing some letters and substituting a special character for one of the words. My cryptic note might say “Grandma’s theory of economics | 2+2+?+2+2 ” which would be just enough to remind me what I was thinking when I constructed the password.
But mostly, I just remember these passwords.
Because there just aren’t that many of them.
Because most passwords just don’t matter!
For added security, I always enable two factor authentication whenever that is available. Ideally, this would be a one-time code that gets sent to my cell phone like Google’s system but that isn’t always an available option. In a lot of cases, the second level of authentication requires you to choose from a list of preset questions and give an answer. Once you log into the site using your secure password, you are prompted with the question and have to provide the correct answer. Banks and financial institutions seem to like this method. The problem with it is that their preset questions are almost always things that a hacker could learn about you with a simple Google search. An example of this might be: “What was the name of your high school?” I’m pretty sure that hackers know about classmates.com! But if you are forced to use preset questions, there is no rule that you have to provide a truthful answer! For every ridiculously easy question like “What is your pet’s name?” or “What is your favourite colour?” or worse yet, at least for genealogists, “What was your mother’s maiden name?” I have an equally ridiculously WRONG answer that I use regularly.
And finally, I would suggest, that no matter what method you use to construct, store or remember your online passwords, your chances of being personally hacked are far outweighed by the likelihood that the online repository that is storing your personal information will get hacked. If that happens, it matters little what your password was, or how strong it might have been. If some hacker manages to download hundreds of thousands of user accounts, it’s going to be worth their while to find the encryption key for all of them and they will, whether your password was your birthday or a totally random 35 character password consisting of upper and lower case letters, numerics and special characters.