This week’s kerfuffle about LinkedIn, eHarmony and Last.fm being hacked reinforces the fact that there is no such thing as a totally secure online service. I have no idea whether or not LinkedIn and eHarmony carry out best practice with regards to user credentials – and some commentators think not (see the quote towards the bottom of this NY Times article) – but total security is impossible. (Or rather, it is possible, but I’m not sure many people could take the extraordinary hurdles that would be involved.)
With this in mind, it is essential that people adopt some basic principles when registering for online services:
- Use a unique password for every website.
- Create a lengthy password consisting of letters, numbers and, if the website allows it, symbols too.
- Change passwords regularly, at a period that reflects the importance of the online service. (In other words, for online banking change the password more frequently than for mailing list websites.)
The difficulty, as ever, is that very few people have the mental capacity to do all of these three things. I have seen numerous articles on this subject talking about creating a password based on the first letter of each word in a phrase that has meaning to you, then replacing one or two characters with symbols and throwing in some random capitalisation and perhaps misspelling the phrase and… and… oh what was the password again? And was ‘the rain in Spain falls mainly on the plain’ for the Santander website or the travel agents?
With absolutely no disrespect to those authors, I think trying to memorise complex strings of text like this, across multiple websites, is an impossible task. The only way these three principles can be adhered to is by using a software password tool, many of which nowadays are tightly integrated with web browsers, can generate as well as store passwords and have versions on all of the platforms through which the web is browsed (ie Mac, Windows, mobile; sorry, Linux I know little about). In Lambert/rubicon, we use 1Password but there are other well-reviewed applications out there, such as LastPass. (Note that we do not stand to gain financially from our mention of these software tools.)
The bottom line is this: your password will almost certainly be obtained from one of the online services that you use at some point in the future. So protect yourself by adopting some straightforward principles.
(Photo of keys by Ruben G.S.)