Passwords. When you hear password, what is the first thing you think of? The image the word evokes for me is a thick iron door with a sliding hatch, complete with the gruff guard you can smell before you see snarling “What’s the password?!”. Do you think every seedy tavern has the same password to let people in? Jump forward to the real world and what passwords mean today. I talk often about the importance of managing your passwords regardless of if they are business or personal related. One of the most, if not THE most important password, is your email password. Why might you ask? When you visit a website and are unable to remember your password, most of them have the option to leverage the “I forgot” feature. The process is simple, you tell the website you forgot your password and a few options are presented to make sure you are who you say you are. The questions asked are varied, things like your email address or maybe a question and answer profile you configured when registering for the site. Chances are, hackers already have your favorite passwords, questions, and answers because of data breaches over the last 5 years. In rare cases, the website might even send you a text message to confirm its really you. Generally, you will need the email that is sent from the website to facilitate the password change.
Now, imagine that you lost access to your own email account because of a hack. What would you do? Have you ever tried to call or use the contact us option for most email services? Remember, most email accounts are free and the support experience will feel painfully free by the time you are done. The good news is that most email hosting companies are moving to a model similar to that of banking. They require either a second factor or assurances that the device you are accessing the site from has been authorized by the account holder (browser cookie, not like cookie monster cookie). The bad news is given 5-10 minutes I could make another device look like your device and have access to your account unless that second factor was enabled. Also, where email hosts differ from banking is they don’t enforce or really even encourage enabling strong passwords. In most cases, you have to dig a little bit into account settings to even turn on the advanced security features. Do yourself a favor and spend a few minutes enabling stronger security for your email account. If they don’t offer it, think about what your information is worth and consider a new email host.
If you take one thing away from this discussion today, it is the recommendations below. While not a comprehensive list, you should be able to think about what your personal strategy is currently and maybe how it might look in the future. Here are a few things to think about:
1. If you want to do password management manually, you should understand how complex your passwords really are and how complex they should be. Going it alone is hard so understand your options before going all in.
2. Use different passwords on Every. Single. Site.
3. Delete that password file you keep in a “safe” place. The spreadsheet or word doc with all your passwords in it is akin to throwing your house key under the front mat. It’s the first place I would look if I wanted in (the flowerpot would be second).
4. Password hints are dangerous, don’t use them. Hackers don’t need any more help gaining access to your data.
5. Clear the passwords in your browser and don’t use the auto fill feature. The passwords in your browser are not protected in any meaningful way. If you want auto fill, see option 7.
6. Enable dual or multi factor on any website that offers it. There are several “authenticators” out there that you can download to your smartphone.
7. Consider leveraging a secure password manager and vaulting solution. Password management does the hard work for you. How can you get yourself in trouble when you don’t even know your password?
In the next part of this series, I will break down the three real options you have to manage your passwords and give you a few suggestions on what has worked for me. Better yet, I would like to hear from you on your success and failures related to passwords.