Passwords and passphrases. I hate them.

Yes, I used the ‘h’ word. Passwords and passphrases give people the illusion of safety and security when they are one of the easiest things to crack. I cringe when I come across major banks whose login mechanisms are weaker than, say, Facebook’s mechanisms.

I’ll admit that the inspiration for this post came back in November after reading the story of Mat Honan in WIRED Magazine. The article’s linked but I’ll summarize: Mr. Honan had his entire digital life wiped away because a hacker could defeat his email account password.

Do I have your attention? Good. Because for the next few paragraphs, I’ll showcase some alternatives and addition to passwords and some questions that you need to ask yourself about your own computing practices.

The password is an antiquated relic of an era when computing was innocent. Hackers didn’t go after individuals; they went after big enterprises. The tides have turned and no organization nor individual is safe from a hack. In addition to most of my entire life being in the cloud, I have several servers running various web applications (including this blog and some websites of my clients) that are cloud servers. If I’ve got the chance, I disable passwords altogether OR pair a passphrase up with a second form of authentication. Data safety and backup is something that I constantly have to tackle…and it’s something that you have to think about, too.

There are some easy things that you can do and I’ll go through them from the least technical to the most.

2. Make your passwords as long as possible. Short passwords, no matter the complexity, can be cracked in less time than a longer password. An eight-character password comprised of a combination of lowercase letters, uppercase letters, numbers, and a palette of 20 special characters has a total of $2.044times10^{15}$ options. A 25-character password using that same palette has a combination of $7.004times10^{47}$ characters, which is almost infinitely more.

2. Don’t answer the security questions truthfully. Like passwords and passphrases, I also dislike security questions. Most of the questions and answers are things that a hacker can easily locate on the Internet and are often self-supplied on a social media profile! If a service asks for an answer to, ” What street did you grow up on?”, don’t answer truthfully. Respond with an answer like “Purple Flying Rabbit Hippos” or something equally crazy yet memorable. There isn’t a logic engine in those security questions to make sure that you’re answering truthfully. Be creative in your answer! (But remember what you’ve said…because that would defeat the purpose!)

3. Ensure you have anti-virus and anti-spyware software on your computer. A lot of rogue software tracks your keystrokes and sends that information to a central server. Many anti-virus programs and anti-spyware programs capture, quarantine, and eliminate those threats. The best news is that you don’t have to shell out a lot of money for a good anti-virus or anti-spyware program: my favorites are AVG Anti-Virus free edition and Spybot Search & Destroy (anti-spyware), also free. (Edit, 21 April 2016: AVG Free is no longer recommended.)

4. When signing up for a service, make login security a part of your evaluation framework. It does sound like something silly but it’s something that you absolutely have to consider in this new world. Does your bank’s password requirements seem woefully inadequate? If I came to the decision between two services that are otherwise equal in service and dignity, a service that had a more robust login solution would get my nod.

5. Consider where you’re doing your computing. A lot of us take public wi-fi networks in coffee shops, public spaces, or civic institutions for granted these days. The problem is that these networks are open to all and their security questions are less than ideal. If you’re using a public network, ask yourself: “Do I really need to be doing my online banking or transmitting this otherwise confidential information at this time?” Safe computing is a mindset, too, and you have to be aware of your surroundings when you do your computing. But at home, make sure that your router is locked and that only devices you’ve authorized are connected to the network. Check the directions for your router.