I highly recommend having random passwords for every site you have a account on. If you can’t do that, then at least have different passwords for accounts that have payment related information in them. Why? If an attacker got access to your account,then they just got access to all your other accounts as well!
Below are two tips that I found online that don’t make complete sense to me and they highlight how random passwords are solution.
[blockquote source=””]Once you have a strong base password, you can use it to create individual passwords for each of your online accounts. Simply add the first three letters of the service, e.g. “E1d_1D!4Y:)GMa” for your GMail account or “E1d_1D!4Y:)eBa” for eBay.[/blockquote]
Assuming the attacker got access to one of your passwords, and they noticed the pattern, they can easily pivot to your other accounts using this password “strategy”.
[blockquote source=””]Choose two short words and concatenate them together with a punctuation or symbol character between the words. eg. “seat%tree”[/blockquote]
GPU based password cracking will breeze through this type of password. Sure it is easy to remember, but this password “strategy” gets you nowhere.
Great article, I have learned a lot!
I use LastPass and I have a different complex password for Facebook, Twitter, G+, LinkedIn, Buffer, etc. Where available, I also have 2-step verification turned on. Plus, I only have three passwords memorized. One of them is, obviously, my LastPass password. I won’t tell you the others…but I will tell you that the three I have memorized are over 8 characters (won’t tell you how long) and all have upper and lower case letters, numbers and special characters. With 2-step verification, which I encourage you to consider, I am virtually unhackable. Check out my blog post, Why I Turned On 2-Step Verification Why You Should Too at http://markstruczewski.com/turned-2-step-verification/.
@Mark – 2-step verification is certainly nice. Do you find it being an annoying step? The challenge with security is always to balance the functionality and usability of a system.
How do LastPass and other password programs like this work when you have to work on multiple PCs and Macs over the course of a few days?
@Glenn – If using a local password application like keepass you can store it on a shared drive or cloud provider like dropbox and be “mobile”. LastPass does have a paid for version where you store all your passwords on their server where any computer could access it (given you have the key for it).
A timely reminder to tighten up my password security. Thanks!
Thanks for the article, Garrett! Obviously I need to refine my strategy!
This is good stuff. I’ve looked into using LastPass, and even created an account there, but I haven’t fully utilized it yet. Does LastPass remind you to change your password at a set interval?