Three Big Mistakes That Make Your Accounts Insecure, and one easy way to fix it

My childhood friend Betsy asked me about how to keep accounts secure on the Internet:

I ask because I believe it's way too easy for anyone who has access to a few basic sites to crack passwords based on finding common password patterns for the user. If you've thought about this, I wonder if you'd share with me what you do to ensure your own password security... I'd like to learn to be a better fortress.

She's right!  Here are the mistakes I see friends making:

1. Using the same password for all their accounts, including important ones like banking and email.
2. Writing down their passwords in a place everyone can see, like on a post-it note stuck to their monitor
3. Choosing short passwords that are easily guessed by a bad guy with a computer.  Most people's intuition about which passwords are good is exactly backwards.


To fix all three problems at once, I use LastPass.  My hacker buddy Marian turned me on to it.  LastPass makes it easy enough to have a different password for every account.  It keeps track of all your passwords on all the different sites you use.  So you only have to remember one master password  - the password to your LastPass account.  Their software can be installed on your computer, into your browser, and on your phone -- I do all three.

LastPass has a neat "generate password" feature that will generate a super-crazy strong password for you and keep a record of it.  They also will keep track of your credit card details if you like, and fill in forms for you on the web.  I use both of these a lot and it's a time saver.

I was a little scared at first about the idea of entrusting all my passwords to LastPass.  After researching them a bit and thinking about it, I realized that all the reasonable alternatives to LastPass are considerably less secure.  What other ways are there?

• keep your own file with all your passwords - how are you securing that file?
• use the same password on every site - hope none of those sites are run by crooks
• remember all your different passwords - good luck!
• keep your passwords on paper - what could possibly go wrong?

What do you think?  Do you have a password system you like?


ps. I should have mentioned one other thing you can do to lock down your important accounts.  It's a simple neat trick with a stupid name -- "two factor authentication".  What it means is that to get into your account, you need two things, for example both your password and your phone may be needed to log in to your email account.  That way, if the bad guy gets your password but not your phone, he's out of luck!  Gmail offers two-factor authentication, as do many banking sites.  Do it!