With a couple edits, one of the things I’ve learned in 2014 is that passwords are evil. Learn how to overcome the inherent problems of passwords.

[Editor’s note: The below post, “Living post-password”, was originally posted on this blog on 2 April 2013. It’s been reposted below with several updates and new insights as part of this blog’s ‘Marching Toward 2014’ series of posts.]

Passwords and passphrases. I (still) hate them.

Yes, I used the ‘h’ word. Passwords and passphrases give people the illusion of safety and security when they are one of the easiest things to crack. I cringe when I come across major banks whose login mechanisms are weaker than, say, Facebook’s mechanisms.

I’ll admit that the inspiration for this post came in November 2012 after reading the story of Mat Honan in WIRED Magazine. The article’s linked but I’ll summarize: Mr. Honan had his entire digital life wiped away because a hacker could defeat his email account password.

Do I have your attention? Good. Because for the next few paragraphs, I’ll showcase some alternatives and addition to passwords and some questions that you need to ask yourself about your own computing practices.

The password is an antiquated relic of an era when computing was innocent. Hackers didn’t go after individuals; they went after big enterprises. The tides have turned and no organization nor individual is safe from a hack. In addition to most of my entire life being in the cloud, I have several servers running various web applications (including this blog and some websites of my clients) that are cloud servers. If I’ve got the chance, I disable passwords altogether OR pair a passphrase up with a second form of authentication. Data safety and backup is something that I constantly have to tackle…and it’s something that you have to think about, too.

There are some easy things that you can do and I’ll go through them from the least technical to the most.

2. Make your passwords as long as possible. Short passwords, no matter the complexity, can be cracked in less time than a longer password. An eight-character password comprised of a combination of lowercase letters, uppercase letters, numbers, and a palette of 20 special characters has a total of $2.044times10^{15}$ options. A 25-character password using that same palette has a combination of $7.004times10^{47}$ characters, which is almost infinitely more.

2. Don’t answer the security questions truthfully. Like passwords and passphrases, I also dislike security questions. Most of the questions and answers are things that a hacker can easily locate on the Internet and are often self-supplied on a social media profile! If a service asks for an answer to, ” What street did you grow up on?”, don’t answer truthfully. Respond with an answer like “Purple Flying Rabbit Hippos” or something equally crazy yet memorable. There isn’t a logic engine in those security questions to make sure that you’re answering truthfully. Be creative in your answer! (But remember what you’ve said…because that would defeat the purpose!)

3. Ensure you have anti-virus and anti-spyware software on your computer. A lot of rogue software tracks your keystrokes and sends that information to a central server. Many anti-virus programs and anti-spyware programs capture, quarantine, and eliminate those threats. The best news is that you don’t have to shell out a lot of money for a good anti-virus or anti-spyware program: my favorites are AVG Anti-Virus free edition and Spybot Search & Destroy (anti-spyware), also free.

4. When signing up for a service, make login security a part of your evaluation framework. It does sound like something silly but it’s something that you absolutely have to consider in this new world. Does your bank’s password requirements seem woefully inadequate? If I came to the decision between two services that are otherwise equal in service and dignity, a service that had a more robust login solution would get my nod.

5. Consider where you’re doing your computing. A lot of us take public wi-fi networks in coffee shops, public spaces, or civic institutions for granted these days. The problem is that these networks are open to all and their security questions are less than ideal. If you’re using a public network, ask yourself: “Do I really need to be doing my online banking or transmitting this otherwise confidential information at this time?” Safe computing is a mindset, too, and you have to be aware of your surroundings when you do your computing. But at home, make sure that your router is locked and that only devices you’ve authorized are connected to the network. Check the directions for your router.

8. Change your passwords frequently and regularly. If you have a password management system (browser or online), then that’s easy to do. If you’re not using one, then consider this genius solution that was shared by a former colleague of mine: Consider a routing of a recent trip you took. When you’re going to change your password, move it to the next city in the list (e.g. on a trip along the Northeast Corridor, move from New York City to Stamford). But really, you should use a password manager.

9 (new to this list). Consider using a different DNS service on your home router. If you have home high speed Internet, chances are that you’re using your Internet provider’s DNS servers. What’s a DNS server, you ask? It’s something that translates web addresses you type (like edwardjensen.net) into IP addresses (like 141.101.125.90), which are like Internet addresses. You’re not restricted to using your Internet provider’s DNS servers; there are alternate DNS servers that you can use. On my home network, I use OpenDNS, which can be used for DNS lookups (the translation I mentioned above) or as a “parental controls” filtering system, blocking unwanted websites. I also like it because it blocks unwanted Internet traffic.

10. Don’t use passwords. Some services don’t issue passwords but instead issue certificates that are imported into your browser for authentication. These certificates verify the identity of both you and the server to which you’re connecting. It’s a very emergent technology. If you manage a lot of servers and need to SSH (secure shell) into them, disable password authentication in the SSH configuration file and ensure that you’re using SSH keys to log in.

Now there’s one big caveat: Following along with all these steps makes things better. But when you’re computing, never never ever! let your guard down. Like I mentioned in number 5, safe computing is also a mindset.

What strategies do you use for account security and safeguarding? Let us know in the comments.