Yes, they are out to get you. Yes, they want your passwords. And if you're like most folks out there, you've given them plenty of ways to take them from you. If you're dead serious about securing your online life, here's the crazy serious approach to locking down and protecting your accounts.
1. Do not use the same password for more than one account - ever. This is the #1 mistake people make, says Joe Siegrist, CEO at password management software vendor LastPass. Once someone penetrates one account they can start breaking down doors to your other accounts. They also may be able to gain access to other information that's useful in hacking into your other accounts, such as your email address, billing address, the email address you have set up for password reset, the last four digits of your credit card and the answers to the challenge questions set up for that account. Changing out all of those duplicate passwords is time consuming, but it's time well spent.
2. Make challenge questions more challenging. Don't use real answers, and don't use the same answer more than once. Security challenge questions such as where you were born or your first pet's name are supposed to provide an extra assurance that the person logging into your account is really you by posing questions only you would know. They don't. The reality is that, in the era of social networking, other people either know or can find out many of the answers. What's more, the security question answers gleaned from a compromised account can be used to help attackers break into others. Siegrist uses randomly generated passwords as challenge question answers and stores them in his password manager profile for each site.
3. Use strong passwords for all of your accounts. If you're like me, you probably use a strong password for online banking and weaker, easier to remember passwords for less important accounts, such as that New York Times online subscription or the Pandora music streaming service. Perhaps you even reuse the same password for many of these second-tier accounts. It's easier that way. After all, what's the worst that can happen if someone accesses your New York Times subscription?
Audit those sites and see for yourself. "You give up a lot more than you remember, and they store that," says Siegrist.
4. Get a password management program - and use it. If you're going to instill some discipline into your approach to password management you're going to need a way to track all of those details. A good password manager will generate strong passwords for you, store them in encrypted form, and fill in the blanks when you visit a site for which it has stored your login credentials. But your master password becomes the key to the kingdom. It needs to be more than just strong. It needs to be big.
Sign up for CIO Asia eNewsletters.