Are your passwords weak or terrible?

If you can remember your password for a site, then it is weak. If you have used that password on more than one site, then it is terrible.

Most people’s passwords are both weak and terrible.

If you have a weak and terrible password for your email, and you don’t have two factor authentication (a code challenge after logging in) then you really are in grave digital danger. It’s highly likely that someone will take over your email and change the password.

Once someone has control of your email account, they have control over every other account you have signed up to with that email. All they need to do is go to that site, hit the “forgot password” link, hit the reset password link in the email sent to your inbox, and hey presto, they now have control of that account.

There are two things you can do if you find yourself in this position:

  • Activate 2 factor authentication immediately on your email account.
  • Get a password manager and reset all your internet passwords to random ones, stored in the password manager.

The first is trivial. If your email provider doesn’t support two factor authentication, then create a gmail address, change all your online accounts to that email and ditch your current email. It doesn’t matter if great aunt Mabel can’t contact you any more – your digital security is way, way more important.

The second is more daunting, both in picking a password manager and migrating all your accounts into it. I did it one weekend in 2010 when I had around 100 accounts. Now I have over 250. The problem of digital identity gets worse over time, not better. So the sooner you can get it under control, the better.

The password manager I use is KeyPassXC. It’s open source and as far as I know, does not have any open vulnerabilities. I use dropbox to sync the file between my devices to keep everything up to date.

You do need a master password to remember. This should be very long. Mine is over 20 digits. And you should never write it down, or use that password on any website. It’s for the password manager only.

Some people ask the question, “what if the master password file is hacked?”. The answer to that is, yes, you are screwed. Completely.

So make sure you only enter your master password on devices you own. If you think your device has been hacked, destroy it and get a new one (it’s not your device after someone else has gained control).

These sound like extreme measures. But no-one else is in a position to protect your digital identity other than you. Being hacked is a time consuming and stressful process – far worse than taking steps to protect yourself.

And usually, it all starts with your email.

Read more on this topic . . .