How I Approach Passwords

When I think about technology’s progress, I marvel at how many things have become easier over the years. Gone are the command prompts of DOS and now even my grandma is a proficient tablet user. You no longer need a smart young nephew or a snarky, ponytailed friend to get your computer or wifi network up and running.

Progress is incredible, even when it takes 25 to 30 years to alleviate frustrations with technology.

There’s one holdout though and that’s the password. You would think after all this time with billions of people plugged in that we would have a better solution for passwords. I won’t go into the reasons why memorizing and typing your password is still with us today, but I’ll tell you how I go about managing my passwords.

In light of the recent Russian hacking of 1+ billion usernames and passwords combos, you may want to rethink how you create and manage your passwords.

Two Strong Passwords

That’s all I have. Two strong passwords. I use one password for my e-mail and the other for my password manager – LastPass.

Having a strong password on your e-mail account is essential because hackers who compromise your e-mail can initiate password resets for most of your online accounts. For example, a hacker might go to your banking website, type in your e-mail and ask the bank to send a password reset to your e-mail. Then, they happily log into your e-mail, complete the password reset using their own password, and voilĂ , they have access to your bank and you do not. Now, most banks have sophisticated programming that can prevent this kind of attack, but many sites do not.

Consider the case of Mat Honan from Wired magazine who had his digital life torched in less than an hour. Hackers managed to daisy-chain through his accounts (Twitter, Apple, Google accounts), using access to his e-mail account in order to gain access to the rest – “one ring to rule them all” is echoing through my mind.

Not only did they gain control of his accounts, but they were also able to wipe his iPhone, iPad, and MacBook clean of data using Apple’s remote wipe feature. The ability to remotely wipe your device might sound like a dangerous feature to offer, but it’s there to protect you in the event of theft. Sadly, in this case, it was used to destroy his personal property. Imagine losing your family photos and videos that you thought were safely stored on your phone or PC.

Besides protecting my e-mail with a strong password, I use a different complex password to protect my password manager – LastPass. LastPass creates and stores random, complex passwords for all of my sites. I honestly cannot tell you the password to any of my banking accounts. They’re long, cryptic, and would probably even give the NSA some trouble in cracking. LastPass knows them all and dutifully fills them in for me when I visit a website.

It might sound scary to some people to let a password manager control all of your passwords. No system is without risk however. I see a bigger risk in using weak, but memorable passwords for my online accounts. Or worse yet, writing them down and keeping them under my keyboard or tucked away in my wallet. No one reading this does that, right? Good.

How I Make My Passwords

For my e-mail and my password manager, I rely on a trick that’s served me well for several years now.

I use song lyrics.

They’re easy to remember, long, and with some punctuation marks, random capitalization, you should come up with highly secure, yet memorable passwords.

Here’s an example: “Mary had a little lamb, Little lamb, Little lamb!”

According to HowSecureIsMyPassword.net, that password would take an average desktop computer 488 quattuorvigintillion years to crack. (I’m going to spend the rest of the day mastering the pronunciation of quattuorvigintillion.)

Most e-mail providers and password manager applications allow you to create passwords like this with spaces. Don’t underestimate the power of spaces in your passwords. They are a character and they add to the complexity of any password.

You may think it would be annoying to type in such a long password, but in my experience it’s not that bad. My fingers are used to typing sentences and words. They even seem to move faster when I’m typing a song lyric instead of the nonsense of a password. Plus, I kind of sing it in my head, which is fun. Just don’t whistle or sing it out loud. :)

Two-Factor Authentication

Two-factor authentication is a must for any online account that offers the service, especially your e-mail and banking accounts.

What two-factor authentication does is it sends a secret code to your mobile device which must be entered along with your password on a given website. You don’t have to receive and enter a code every time you login – sites have a way to remember you – but they will ask for codes again after a certain number of days or when you (or someone evil) tries to log in using an unfamiliar computer.

There’s very little annoyance involved with this extra step. The peace of mind alone is worth it.

If you haven’t used two-factor before, check out this video from Google.


Note: Two-factor also goes by 2-step and multi-factor authentication.

Wrap Up

Passwords are annoying for most users and things are not likely to change any time soon. So we have to change.

Start by creating a highly secure password for your e-mail. A compromised e-mail address can be all a hacker needs to hijack your digital life.

Then, become more familiar with password managers. Not only do these programs create and manage highly complex passwords for you, they also provide the ability to automatically log you into sites when they detect you’re on the login page. This feature alone has saved me countless hours over the years.

Finally, take some time to learn about two-factor authentication and enable it on all of your accounts. As you learn about two-factor, be sure that you understand the concept of backup codes. These are pre-determined, disposable codes that you can use in the event that you lose or are without your phone. Without these codes or your phone, you cannot access your account and going through a verification process to prove your identity could be a long and slow process.

What do you think of my approach? Am I missing anything or leaving a glaring secure hole?

Leave a Reply