How I Approach Passwords

When I think about technology’s progress, I marvel at how many things have become easier over the years. Gone are the command prompts of DOS and now even my grandma is a proficient tablet user. You no longer need a smart young nephew or a snarky, ponytailed friend to get your computer or wifi network up and running.

Progress is incredible, even when it takes 25 to 30 years to alleviate frustrations with technology.

There’s one holdout though and that’s the password. You would think after all this time with billions of people plugged in that we would have a better solution for passwords. I won’t go into the reasons why memorizing and typing your password is still with us today, but I’ll tell you how I go about managing my passwords.

In light of the recent Russian hacking of 1+ billion usernames and passwords combos, you may want to rethink how you create and manage your passwords.

Two Strong Passwords

That’s all I have. Two strong passwords. I use one password for my e-mail and the other for my password manager – LastPass.

Having a strong password on your e-mail account is essential because hackers who compromise your e-mail can initiate password resets for most of your online accounts. For example, a hacker might go to your banking website, type in your e-mail and ask the bank to send a password reset to your e-mail. Then, they happily log into your e-mail, complete the password reset using their own password, and voilà, they have access to your bank and you do not. Now, most banks have sophisticated programming that can prevent this kind of attack, but many sites do not.

Consider the case of Mat Honan from Wired magazine who had his digital life torched in less than an hour. Hackers managed to daisy-chain through his accounts (Twitter, Apple, Google accounts), using access to his e-mail account in order to gain access to the rest – “one ring to rule them all” is echoing through my mind.

Not only did they gain control of his accounts, but they were also able to wipe his iPhone, iPad, and MacBook clean of data using Apple’s remote wipe feature. The ability to remotely wipe your device might sound like a dangerous feature to offer, but it’s there to protect you in the event of theft. Sadly, in this case, it was used to destroy his personal property. Imagine losing your family photos and videos that you thought were safely stored on your phone or PC.

Besides protecting my e-mail with a strong password, I use a different complex password to protect my password manager – LastPass. LastPass creates and stores random, complex passwords for all of my sites. I honestly cannot tell you the password to any of my banking accounts. They’re long, cryptic, and would probably even give the NSA some trouble in cracking. LastPass knows them all and dutifully fills them in for me when I visit a website.

It might sound scary to some people to let a password manager control all of your passwords. No system is without risk however. I see a bigger risk in using weak, but memorable passwords for my online accounts. Or worse yet, writing them down and keeping them under my keyboard or tucked away in my wallet. No one reading this does that, right? Good.

How I Make My Passwords

For my e-mail and my password manager, I rely on a trick that’s served me well for several years now.

I use song lyrics.

They’re easy to remember, long, and with some punctuation marks, random capitalization, you should come up with highly secure, yet memorable passwords.

Here’s an example: “Mary had a little lamb, Little lamb, Little lamb!”

According to HowSecureIsMyPassword.net, that password would take an average desktop computer 488 quattuorvigintillion years to crack. (I’m going to spend the rest of the day mastering the pronunciation of quattuorvigintillion.)

Most e-mail providers and password manager applications allow you to create passwords like this with spaces. Don’t underestimate the power of spaces in your passwords. They are a character and they add to the complexity of any password.

You may think it would be annoying to type in such a long password, but in my experience it’s not that bad. My fingers are used to typing sentences and words. They even seem to move faster when I’m typing a song lyric instead of the nonsense of a password. Plus, I kind of sing it in my head, which is fun. Just don’t whistle or sing it out loud. :)

Two-Factor Authentication

Two-factor authentication is a must for any online account that offers the service, especially your e-mail and banking accounts.

What two-factor authentication does is it sends a secret code to your mobile device which must be entered along with your password on a given website. You don’t have to receive and enter a code every time you login – sites have a way to remember you – but they will ask for codes again after a certain number of days or when you (or someone evil) tries to log in using an unfamiliar computer.

There’s very little annoyance involved with this extra step. The peace of mind alone is worth it.

If you haven’t used two-factor before, check out this video from Google.


Note: Two-factor also goes by 2-step and multi-factor authentication.

Wrap Up

Passwords are annoying for most users and things are not likely to change any time soon. So we have to change.

Start by creating a highly secure password for your e-mail. A compromised e-mail address can be all a hacker needs to hijack your digital life.

Then, become more familiar with password managers. Not only do these programs create and manage highly complex passwords for you, they also provide the ability to automatically log you into sites when they detect you’re on the login page. This feature alone has saved me countless hours over the years.

Finally, take some time to learn about two-factor authentication and enable it on all of your accounts. As you learn about two-factor, be sure that you understand the concept of backup codes. These are pre-determined, disposable codes that you can use in the event that you lose or are without your phone. Without these codes or your phone, you cannot access your account and going through a verification process to prove your identity could be a long and slow process.

What do you think of my approach? Am I missing anything or leaving a glaring secure hole?

How I (Mostly) Quit Google

I don’t know how it started. Maybe it was the clause in Google’s terms and conditions that gives them near ownership of the content you upload to Google Drive or those creepy targeted ads that follow you from one site to another, but a few months ago I went on a privacy kick.

In the past, I was one of the chorus who said, “I don’t have anything to hide, so… so what?” As advertisers and tech companies show more of their hand and expose how much they really know and profit from us, I realized I was giving them more value than their “free” services were returning to me.

As in any relationship, when you feel you’re giving more than you’re getting, it makes you feel like a bit of a fool.

So a month ago I started researching alternatives to Google’s products. For the most part, I’m Google-free. Here’s how I did it:

Google Search
(Alternative: DuckDuckGo)

    vs   

This is the toughie. Google Search is a powerful, predictive solution. It literally completes your thoughts for you as you type them. It does that by learning from you as you search and custom baking results just for you. When you leave Google Search, it’s like losing that best friend who you don’t have to explain things to. They already know the story, your background, your quirks.

When I switched over to DuckDuckGo – a privacy obsessed alternative to Google Search – I had to start from scratch again. When I searched for something like “smoothie bar plymouth,” DuckDuckGo made its best guess and figured I was more likely to be looking for a smoothie in Plymouth, MA than Plymouth, MI. Granted, while Maui Wowi on Water Street in Plymouth, MA looks awesome, it isn’t going to satisfy my random, cold liquified fruit cravings.

So, I have to work a little harder with DuckDuckGo and write complete queries that include the exact location or extra keywords. It reminded me that I used to work that hard before Google became so smart. I did it before; I can do it again.

Google Mail
(Alternative: Zoho Mail + my own domain from GoDaddy)

    vs      + 

Of all of Google’s products, I thought Gmail was going to be the hardest to leave. It turned out to be the easiest.

Zoho Mail is a slick alternative to Gmail. It’s interface – although not as fancy as Google’s – is just as functional. In fact, I like it better than Gmail after a month of use.

While I do miss the way Gmail displays previous conversations, I love how Zoho opens new e-mails in their own tab and allows me to open multiple e-mails at once and then bounce between tabs. It’s easier than the disconnection you feel as you open one e-mail and then have to close it entirely to switch back to a draft you were writing.

Zoho gives me Mail, Calendar, and Contacts (along with ActiveSync so it plays well with my phone) for only $2/month (10GB of storage). They migrated my nearly 10 years of Gmail e-mails with ease, so I didn’t lose any of my e-mail history. I’m an e-mail pack rat. I admit it.

While you can get a @zoho.com address, I already had a domain ($8/year) purchased through GoDaddy. I followed Zoho’s how-to guides and had GoDaddy routing incoming mgrabowski.com e-mails to Zoho’s servers in less than 30 minutes.

I’m so satisfied that I cannot imagine returning to Gmail again.

Google Maps
(Alternative: None)

I tried. I really tried. Waze. Scout. Even MapQuest. Google Maps has maps down cold.

This is mainly due to their great directory of businesses and attractions. A few weeks ago I was out at the Nichols Arboretum in Ann Arbor with a friend. She was pretty sure how to get there, but I tried my alternative map apps as a backup, just in case.

Only Google Maps and Waze (admitedly, owned by Google) had any idea what or where the Nichols Arboretum might be. MapQuest suggested that I might want to navigate to Arboretum in Kwazulu Natal, South Africa. When I asked it for a route and time estimate, it apologized and said it couldn’t figure that out. This frustrated me even more than the suggestion that I navigate to South Africa because now I really wanted to know how long it would take to journey by ferry, car, and foot to the southern tip of Africa.

Google Maps returns enough value to me for the location information I share with them. I’ll stick with it until the alternatives get better.

Google Chrome
(Alternative: Dolphin for mobile, Mozilla Firefox for desktop)

    vs        vs   

I’m struggling to replace Chrome. Firefox on the desktop feels slower than Chrome and it likes to crash on me (both probably due to a few buggy plugins). Dolphin is fine on mobile, but I miss the sync functionality of Chrome that allowed my bookmarks to live across multiple platforms (except iOS).

I’m still working on this one, but I think I’m going to ditch Dolphin for Firefox mobile. If only Firefox had an iOS app, but given iOS’ design, Mozilla says it has no plans to deliver an app.

Google Drive
(Alternative: Dropbox)

    vs   

I know I could take some privacy flack for this one given concerns about Dropbox’s security and the appointment of Condolezza Rice to their board of directors earlier this year.

After reading their terms and conditions, I’m ok with using Dropbox for right now. Dropbox doesn’t claim any rights to use my content, whereas Google says:

When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. (as of 07/03/2014)

That line just creeps me out.

Google Play Music
(Alternative: None)

For those who love music and haven’t tried Google Play Music, you are missing out. Google Play Music allows you to upload your entire MP3 collection to the cloud (well, technically only 20,000 songs) and then stream your music to any desktop or Android device. Your whole music collection follows you, in your car, in the park, at the coffee shop, and you can even download offline copies of your songs so you can listen without a data connection.

Like Maps, the design and incomparable functions of Google Play Music makes me willing to volunteer my personal information in exchange for the free service. Somewhere they are building a lucrative advertising profile for 30-something-year-olds who live in Southeastern Michigan, search for snowboarding and rock climbing videos on YouTube, and have excellent musical taste. I can live with that.

Conclusion

It’s not easy to give up on the convenience of Google. They make great products that can become an integral part of your digital life.

But you have to ask yourself a simple question: Am I getting a fair shake for what I give X company?

The film Terms and Conditions May Apply (available on Netflix streaming) estimates that Google makes about $500/year from monetizing your personal data. Their services can be pretty awesome, but I don’t feel they are worth $500 to me.

As I moved away from Google, I was reminded of how the internet felt before Google, Facebook, and Amazon captured their respective corners of the internet. We used to string together various applications and different companies to meet our needs. My e-mail used to be stored on local servers at my ISP. My web searches entailed visiting Lycos, Altavista and Yahoo! to find the best results. I would go directly to CDNow and then Amazon to compare prices.

The know the idea of using multiple search engines for a single search result seems insane nowadays and it is. Although I wouldn’t go back to those days, I do ask myself whether convenience is worth giving most of my business or personal data to one company. Is that really the best thing for our economy and the internet? It’s not.

If we all sign up for Google or become Amazon Prime customers, what happens to that small start-up that has a cool service, but doesn’t have the war chest to compete with the big guys? The internet and our economy thrives on competition. It’s capitalism at its finest. Comcast is about to find that out later today after doubling my bill in an area where AT&T U-Verse has a comparable service at half the price.

If you walk away with one idea from this post, just realize that your personal data is a commodity. When you hand it over, place a value on it and expect something in return. And don’t be afraid to pack up and take your business elsewhere. It’s not as scary out there as you may think and you might even find a better product. At a minimum, you may be doing the internet and our economy some good.