Recently, someone I know had two separate bank accounts affected because a criminal gained access to his PayPal account. The “hack” was not due to a security flaw in PayPal’s site (though, as you’ll see, it could be better), nor was there a breach of security at PayPal’s datacenter. The cause was lack of password management.
Nowadays, we tend to collect online accounts like spare change in the ashtray. (By a quick count, I have over fifty.) Keeping track of all these usernames and passwords is a daunting task.
Many sites require you to use your e-mail address as your username. (e.g. PayPal, eBay, Netflix, Amazon, Twitter, Facebook) This helps make them easy to remember, but it also means that a criminal already knows one part of your username/password combination. Security experts say to use a different password for each account, but it’s a pain to remember fifty different passwords, so we tend to use the same one or two for all our online accounts.
Let’s say you sign on to Facebook at a coffee shop, using a public Wi-Fi network, or you log on to Netflix on a friend’s computer that has been compromised by spyware. Your e-mail and password may end up in some criminal’s database. If you’ve used this password for other sites, you’re in trouble.
What happens next is that the criminal will try using that same e-mail and password at popular sites like PayPal, Amazon, eBay, etc. Since it’s all automated, they can try thousands of sites in no time. When they find one that works, they’ll withdraw money, or run up big bills, and you’ll spend days talking to fraud department auto-attendants, and running around changing bank accounts and card numbers.
Online banking and other financial sites are more secure because they use unique usernames, additional authentication methods and other security enhancements to make sure that you are who you say you are when you sign in. The weak link is non-banking sites that have access to your credit cards or bank routing numbers. Typically, they use single-factor authentication (password only) which is only secure if you use a different password at each site.
The simple solution is to use a different password for each account. “But,” you’ll say, “I can’t remember that many different passwords!” Yes, you can. Here’s how:
Start by creating a base password of five to seven characters. It should be easy to remember, but it should include at least one of each of the following: lower-case letters, upper-case letters, numbers, and special characters.
Here’s one, for example: “I’m#1”
Next, decide on some letters to use from each site where you set up an account. For instance, you might use the first two and last two letters from the Web site’s name. In the case of Facebook, that would be “fa” and “ok”. For Netflix, it would be “ne” and “ix”. (You could just as easily pick the last four characters, or every other letter, or some other combination, but keep it consistent.)
Now that you have a base password, and a site-specific set of characters, put them together. (Again, keep the method consistent.) For example, using the example above, your Facebook password might be “faI’m#1ok”. Your Netflix password might be “neI’m#1ix”. It would be pretty hard for someone to guess, just by looking at one password, that you have a pattern, and a criminal hacker isn’t going to bother trying when they have so many other insecure passwords to choose from.
Here are some tips for using this method effectively:
- Try to keep your resulting passwords between eight and ten characters long. That’s long enough to be reasonably secure, but short enough to be accepted by the majority of sites.
- If, for some reason, you need to give someone your password for a site (You should not do this unless absolutely necessary.) just tell them the password; don’t tell them your pattern because then they have your password for every site.
- If you use one or more shared accounts (for instance, access to a corporate bank account) and you want to use this method, don’t use the same base password as you do for your personal accounts.
- Some sites require you to change your password every so often. Obviously, that makes this method difficult to implement. In that case, just change your base password for that site and write down just the base password somewhere convenient.