Today with many of my colleagues, I’m off to RSA Conference, a five-day event focused around information security. While getting ready for the conference, I spent a little time reflecting on my personal security practices and lessons I’ve learned over the years.
Once upon a time I played a very fun game called how many email addresses can I have? That soon expanded into how many online merchants will I shop with, how many blogs will I update and how many game and news sites will I participate in?
Around this time I cleverly decided that my master passwords for “work stuff,” “school stuff” and “personal stuff” should all be different — just in case. I’ve always been paranoid, so all of the passwords were eight-plus characters with numbers, a healthy mix of upper and lowercase letters, and some special characters thrown in. Of course, not all sites allowed long strings or special characters, so I had a few shorter passwords available for sites that limited password flexibility.
By the time online banking and e-pay options took off, I had a whole new crop of passwords to remember. Financial passwords, health-related benefits passwords, government passwords – the game was a little higher stakes and so of course each of those sites needed their own passwords.
This inspired a mental model redesign: in addition to having different passwords for “work,” “school” and “personal,” I started stratifying by risk level. I had throw-away passwords for sites that I rarely use and don’t have much info on me that needs protecting, all the way up to unique, highly complex passwords for sites that, if my account was compromised, could have an impact on my privacy or productivity. These “families” of passwords worked for the most part, though I have to admit the buffer in my brain for passwords was starting to overflow.
The train went off the rails when sites that used email address as usernames started getting compromised en masse. Now, my entire families of passwords needed to be replaced. As a result, I’ve given in — I can’t remember them all! Instead, I’ve gotten software that will securely store all my passwords in one place, regularly backed up to multiple locations (and in encrypted form, naturally). I have it setup to be available on all my regularly used devices and the software will create passwords for me too. These are randomly generated strings with as much complexity as I like!
I’ve also opted into SMS or mobile device-based authentication where possible, so that if someone hijacks a session or brute forces my password, I have an added level of security. SMS-based authentication for users was recently introduced at Tagged and I’m excited that so many users have opted into stronger security.
As an industry, we used to assume that more security meant more inconvenience, but simplifying strong authentication has definitely made my life more convenient! So no more password families and no more password construction “rules.” Just easy, secure authentication wherever I go online.
Allison Miller is the Director of Security and Risk Management at Tagged.