You’re making a mistake if you’re using the same password as your credentials for more than one website. I know; I know. I see your disapproving stare and the glazed look in your eyes. I know you cannot possibly memorize unique passwords for every website—neither can I. Just stick with me and I’ll explain the whys and hows.
Why You Should Use Unique Passwords
Let me start with an example of an all-too-common situation that happens to unsuspecting people everyday. Let’s pretend I’m a website developer for an online forum. You decide that you would like to participate in the forum but it requires you to register with a username and password. You begrudgingly fill out the registration form using the easy to remember username/password combo you use for everything else.
You may not realize that as soon as you’re finished filling out the registration form I, as the website developer, can pull up the website database to view your password as well as any other information you have provided (such as your email address). If I was particularly bad I could probably sell my database of usernames, passwords, and email addresses to someone else!
I should note that good developers would not store your password in plain text in the database like this. They would instead store a algorithmic representation of your password that is secure (typically this is some type of hash such as MD5). But you have no way of knowing what kind of security is being utilized.
Your Unsecured Passwords are Valuable to Others
Once I have your password information, I could attempt the following:
- I can attempt to log-in to various services that are common—such as Facebook, Twitter, Amazon, Google, eBay, PayPal, etc. Inside these accounts I could change your passwords, post on your behalf, make purchases, and possibly transfer money.
- I can attempt to log-in to your email account using the password you provided. If this works, I can change your email password so you no longer have access to your email. In addition, with access to your email I can reset almost any password for any other website via a “forgot password” link. Remember that when you forget your password websites typically send you a temporary password via email or they send a special link to your email to reset your password.
Certain services are getting better about security. Apple requires that you provide the CID number from your billing credit card before making purchases from a new Apple device. Google provides warnings if there is unusual activity on your account based on location. Google, Dropbox, and Facebook are popular services that have integrated two-step authentication to gain access to your account. This is typically accomplished by sending a code to your phone as a text message when logging on at a new computer.
My Learning Experience with Fraud
In May of 2010 I signed up for a website and made a poor choice to use the same password that I use for my Apple ID account (which is used for iTunes and the App Store). I had done this many times before but it had never caused a problem so it didn’t cross my mind that it was an issue.
Within 24 hours I had an email from Apple saying my account had been locked due to fraudulent activity. Needless to say, I was quite confused. The person that had stolen my account information—or rather the person I had freely given my account information to—purchased an iTunes gift card using my Apple ID. Apple somehow realized this was fraudulent and locked my account.
I Have to Prove That I Am Me?!
As a long time Apple user, this was horrible! I know it sounds dramatic because it could have been much worse. However, I rely on Apple devices everyday. I was not able to purchase apps, update apps, or log into MobileMe. If this happened today it would also prevent me from accessing iCloud which keeps all of my devices in sync. Had the person that accessed my account been more malicious they could have logged into “Find my iPhone” and remotely erased my device. I was actually quite lucky.
It took me three weeks over the phone with Apple everyday in order to get this straightened out. The reason for this is simple. Once someone else has access to your account it’s often difficult for you to prove you are really YOU! You also cannot rely on a big company, such as Apple, to give support priority to an account with proven fraudulent activity regardless of the situation.
Finding the Best Password Manager
Since my life and livelihood was increasingly more and more entangled with online services, I knew there must be a better way to manage these online services and the credentials that go along with them. After researching the issue of password security it became clear that I needed to find a usable password keeper. I also realized I needed to put a reliable password system in place to begin using different passwords for each website. I tried a few services (including password manager freeware and shareware) and ultimately didn’t like them for various reasons. After a lot of research and trial and error I came up with a list of characteristics that a solution would need to have in order for me to successfully integrate it into my day-to-day life:
- Cross-Platform Compatibility (iPhone, iPad, Mac, Windows, and Android) — My everyday devices include a Mac at home, Windows computer at work, iPhone, and iPad. I need to rely on using the same solution across all of these devices.
- Synchronization Across Devices — It’s important for the software to work on all of my devices. It’s just as important to keep the data in sync across all devices automatically.
- Reliable Support and Continuous Software Improvement — It’s important for a software to have great reviews, great support, and a track record of continuously updating the software. You should feel confident that if you invest in a developer they will invest in you as a customer.
And the Winner is…1Password
My research pointed in one direction. After all of my experimenting it was very clear that there was a clear winner. AgileBits has developed a fantastic, cross-platform software called 1Password that:
- stores your passwords with strong encryption
- generates unique passwords with numbers, letters, and/or special characters
- has browser plugins/extensions for Internet Explorer, Safari, Firefox, Chrome to make filling in passwords simple
- uses Dropbox or iCloud to keep all of your devices in sync, if you so choose
- securely store other types of data (such as credit card numbers, identification numbers, PDF files, and text)
- has extensive support and continuous development and updates
- has software for iPhone, iPad, Mac, Windows, and Android
My Workflow with 1Password
I have completely incorporated 1Password into my workflow to the extent that it has become an important component in my productivity arsenal. The flexibility with which the software is usable has also enabled me to use 1Password to store other types of data securely (such as credit card numbers, frequent flyer numbers, scanned copies of identification cards, scanned copies of legal documents, software licenses, etc).
- I use the application multiple times a day to access one of the hundreds of logins that it stores for me.
- When filling out a registration form on a website I first pull up 1Password to generate a password for me.
- I use the application to store digital copies of everything in my wallet. This means I always have my wallet contents handy as long as I have a computer or an iOS device within reach.
- I have to only memorize two passwords: (1) my 1Password master password, and (2) my email password. My logic for memorizing my email password is that if something happens and I cannot access 1Password for some unknown reason, I would be able to use my email to reset the password I cannot remember.
- Article: How Apple and Amazon Security Flaws Led to My Epic Hacking by Mat Honan