A colleague, Ian Stewart, was kind enough to share an email he sent to someone who confessed to using the same password for everything. I think it hits a number of great points and tips on passwords and security best practices, most (all?) of which are outlined in Automattic’s internal docs/handbook. Definitely a good read if you want to tighten up your online security.
tl;dr Use 1Password for everything and two-step authentication for everything.
Alright, this went long but … let’s prevent you from getting hacked!
Never ever give your password or “passphrase” (I’ll get to that) to anyone. Even if you give one to someone like me who’s helping out, change it as soon as we’re done.
No two passwords should ever be the same even if they’re “temp” or “throwaway” passwords.
To manage all your passwords use 1Password and never have to worry about remembering all your passwords.
You can get it for your iPhone and iPad too. Once you start using it you’ll only really need to know your computer, iphone, iPad, and Gmail passwords. (I like to always know a mail password for backup in case 1Password goes kablooey.)
Yes, you should have a password for your iPhone and iPad. They’re pretty easy to lose or get stolen.
Stop using passwords. Use completely random passphrases instead. This comic explains why better than I ever could:
Never use a phrase from any song or book or anything that has been published anywhere ever. It should be random and unique for any passphrase.
Once you get 1Password set up take an afternoon as soon as possible to reset all your passwords everywhere to a unique, strong password generated by 1Password. Use it’s password generator for everything from now on.
This is a big one: Use two-factor or two-step authentication every single place that you can. This means that every time you log in some place new a text message will be sent to your phone to confirm that you’re trying to log in somewhere. A hacker would have to have your login details AND your phone in this case. Here’s a list of places to enable it.
When you set up two factor authentication for each service you’ll get some backup codes. Don’t store these anywhere online or on your computer anywhere. Print them out and store them some place safe.
Likewise with your “master” passwords. Write those down and keep them some place safe.
Install anti-virus software on your mac. Sophos has a good free option. It’ll catch a lot of Phishing attempts.
… those are the big ones. If you do the above you’ll be light years ahead of everyone else.
I’ll leave you with some horror stories that are great reads.
A writer hires hackers to investigate him and they basically take over everything:
Another writer loses everything including all his photos of the first year of his daughters life because hackers thought his twitter account would be cool to take over:
While this email is Mac-specific, there are a number of cross-platform password managers similar to 1Password. The one I use is LastPass, and for just $12/year you can upgrade to premium and get access to your passwords on your phone.
I hope this has enlightened you (or reminded you to finally get around to it) on security best practices. With all the personal, sensitive information available online these days, can you really risk not taking the time to set everything up securely?