For a long time now I've been planning a review of my online security. The approach I had, which was once an adequate solution to my needs, is now fundamentally flawed and open to abuse.
The Old Approach
The old approach was simple but also overly-complicated and hard to manage. It involved an assortment of email addresses and a set of three passwords of increasing-strength.
|Online Banking, PayPal etc
|Something @ a domain I own
|IBM.com, Adobe.com, Twitter etc
|jakehowlett@ a free email domain
|Sites I have little interest in but have no choice but to register for
|Free email address I have access to but never check
Although I rarely remembered exactly which combo worked on which site it never took much guessing to gain access. As time went on though I found myself in situations where the medium-strength password was used on sites like Amazon.co.uk, which remembers my credit card details for me. So I found myself changing the payment-linked sites to use the strong password as well as on sites like LinkedIn.com and Twitter.com which I considered "important".
Before long my strongest password was being used all over the place. Anybody who could find it out for one site could access them all (as well as my email accounts). This made me uneasy. Especially as the password I call my "strong" one would be rated medium by most password generators.
Another down-side to this approach is that I've ended up with so many email accounts I now rely on. The idea was once that I'd give out address like @Yahoo so that, should they fall victim to over-spamming, I could move elsewhere. Nice idea, but once you give out that Yahoo address to dozens of sites, letting it go isn't quite so simple.
The New Approach
Now that email to codestore.net, rockalldesign.com and jakehowlett.com is all sent to Gmail I no longer need to worry about spam, as it does such a good job of handling it. It's time to let go of the free email accounts for everything but testing email during development and for sites I don't trust.
As for passwords, the new approach hinges on the fact that most of my online activity takes place from one PC (my laptop). It's very, very rare that I login to the likes of Amazon, Ebay or whatever from anywhere but my laptop. With this in mind I realised I don't need to use the same password but can use software like 1Password to generate and store ultra-strong passwords.
So, I've started changing passwords on all sites, starting with those that I consider important and/or those that have my card details stored. These new password are generated using 1Password and look like the following:
rv2s7sdlgNorN, 9uJWLg53!/-/J, o53k/=b>w2Maj (these aren't my actual passwords ;-)
Each site I am a member of has a different password. The fact I have no hope of remembering them doesn't matter as 1Password does that for me. The only password I need to remember is the master password to get in to 1Password's vault and the password for the email accounts registered with each service.
If ever I really, really had to login to one of these sites from outside the house then all I need is access to my email inbox so I can use the "Forgot Password" reminder process to gain access.
It's going to be a long drawn-out process reviewing every site I've ever registered with. By the end of 2011 I hope to no longer be using my free email accounts day-to-day. If by the end of next year I've not had an email from or cause to login to a website then I'll consider it no longer necessary. By then I will no longer be using the old "strong" password
I know what you're thinking. What if my laptop gets stolen? Well, the password are encrypted and the the master password is what I'd consider unguessable by anything but a sustained attack. But what about losing my passwords? Well, 1Password does a daily backup to my NAS server, so that's covered.
I'd be interested to hear what your approach is and if you think the above approach is in any way flawed?
The quest for a simple life online continues...