3 simple steps to securing your digital identity
You should have at the most 5 passwords to remember. Each password is different, and those passwords are never used anywhere else (#5 can be stored in your password manager if you don't check E-mail from devices you don't own/control (you should never type passwords into computers you don't own because you don't know if they have virus infections):
- Computer Unlock password (Multiple computers - keep them all the same as long as it's not syncing with a web service aka icloud or Microsoft account)
- Phone PIN/password Unlock (not your SSN/DOB or anything else found in your credit report)
- Password Manager master password (I recommend bitwarden.com or lastpass.com). This password should be entirely unique and not a variation on a password that you've previously used ever before.
- Primary phone account password (iPhone = Apple account, Android = Google account)
- Primary E-mail account used to register with websites (E-mail address you give out to other people/register with websites)
Use Lastpass to remember the existing passwords you have, you need to be able to use Lastpass everywhere (and Lastpass does make mistakes). Once you are comfortable with using Lastpass everywhere, you're going to start using the password generator in Lastpass and start changing all your passwords to randomly generated passwords (16 characters unless websites require shorter ones). When you're done, all passwords in Lastpass will look something like: @5&y@wVqAb!^Ya*6
which follows the great rule: "The only secure password is the one you can’t remember
Make sure the account recovery on passwords #3, 4, or 5 (above) doesn't point to any account that isn't secured with a 2-factor authentication method. Pick your 2nd factor of choice (OTP dongle - Ubikey, Authenticator App on phone (TOTP), etc.). Be aware security questions are NOT second factor. If you tell the truth to security questions you're actually just providing a single reused piece of information that will allow hackers to reset passwords. They are NOT a 2nd factor, they're just a 2nd password and if reused it's like reusing your password (Tip: make security questions and answers unique per location, and record the unique answers in your Password Manager notes section).
Remember: If you setup 2-factor authentication make sure you have a backup (2 Ubikeys/hardware devices, or print and store offline the QR codes during initial setup).
Everything else goes into your Password Manager, document everything in the notes section as appropriate.
The alternative to using a password manager is go buy a little spiral notebook with alphabet tabs and write your passwords in there (Keep blank spaces between each entry for password changes).
At this point, you're done. No need to continue reading unless you want to understand why and dive a little deeper into understanding why these things are important.
Making your Password Manager Password
There are many techniques you can use, here's mine for making a good password that you should never have to change because it's only used one place. Local passwords, because of the usual requirement of physical access to the device don't need to be as strong, unless you so desire.
Always go with your first instinct when answering the questions below (generating seed information):
- Give me two words at least 4 characters each (names, places, events, hobbies, interests, something special)
- Give me 4 numbers (preferably not your DOB or SSN)
- Look on the keyboard above the 1 thru 0, what's you're favorite symbol (preferably not ! because that's used the most).
- Pick a number between 2 and 6 (this is how many times you are going to use the favorite symbol to make your password longer, but still easy to type)
Here's an example answer to the above and using it to create a password for you:
Good password examples from the above seed info (from good to better): operapumpkins8433****, Opera8433Pumpkins****, Opara8433Pumkins****, OPERA8433pumpkins****, ****operA8433pumpkinS, OPER84****pump33, oPEr84****PumP33
Minimum requirements: 16 characters (20 + preferred), keep it out of the dictionary.
Tips: Force yourself to spell words wrrong, you'll usually force-spell it wrong in a different way than someone else. Longer is always better. Put capitalS In fUNKy wAYS THAt ARe UniqUe TO yOU. Bre akup wordsinthepassword. Y0u can l33t sp3ak but kn0w !ts kn0wn by 3v3ry0n3 31s3. Most people put numbers at the end, so you don't.
Other Tips: Usernames are usually not case sensitive, passwords almost always are.
If you are typing passwords into mobile devices think about grouping the different keyboard mode characters together so you don't have as many <shift>, switching between the different keyboard modes to do. Yes, makes automated password guessing easier, but since we're keeping the length 12+ characters brute force cracking possibilities are limited.
Quick Security Test
Answering YES to any of these things means you've failed the test. See above.
- Are you typing one of the above passwords into a web browser for something other than the first 3 items?
- Are your passwords a variation of an old password? Hackers know we change an old password just a little to "update" it: hello1234, Hello1234, hello1234!, hello7890, hello!1234, HELLO1234, h3ll01234. Variations on existing passwords are broken in seconds on a modern computers with current password analysis techniques http://bit.ly/1PM4ntm .
- Have you used your password manager password (or a variation of it) online anywhere?
- Can you remember any other website passwords? (if you can remember any other passwords other than the 5 above then all your other passwords probably don't look like: @5&y@wVqAb!^Ya*6 which they should).
Because just like the internet, your digital identity is interconnected.
Let's walk thru a typical hacking scenario. Thieves want money (points/gift cards/shopping sites etc), it's in your bank account so let's go and get it:
Using the same password on your bank as other websites? It's probably in a hacked database
already. We're in your bank account.
Using the same password on your primary E-mail address as other websites? It's probably in a hacked database
already. We're in your E-mail.
Search E-mail for bank names. Goto your bank website, click forgot password link. Put in E-mail, reset password on bank account. Delete E-mail's out of E-mail and empty trash (no trace of compromise). We're in your bank account.
Note: Now that we are in your E-mail, we can use Forgot Password on just about any website to login to any service you use. Access to your primary E-mail account fully compromises your digital life. While I'm here I'm going to change password and reset account recovery information so you can't get into your E-mail and stop me from continuing to compromise every account you own using password recovery. Ever try to call google, Microsoft, Yahoo, or any other free E-mail account provider? Let me save you hours of grief, it's impossible. Go hire a lawyer, and wait for 3-12 months to work your way thru the legal system. Let me know how it goes. If you aren't paying for it, once you can't recover an account using recovery information that account is gone. Forever.
Deep Dive into Multifactor Authentication
Alternative techniques to making good passwords:
Are your passwords already in a hacker database somewhere?
How many times has your information been known to be compromised?
F5 Labs - Credential Stuffing report of Feb 2021