ALEXIS MADRIGAL, BYLINE: It's time I admitted something. Though I've written about the Internet for years my online security practices are not good. Despite constant warnings from knowledgeable friends, I persist in doing all the things with my passwords that you're not supposed to. I don't make them complicated enough, I reuse the same ones over and over. I don't change them very often and I keep a list of important ones in a file on my computer. Frankly, it's shameful.
This fall, though, I decided it was time to get serious. I made a resolution - I would come up with a system for dealing with my passwords. First, I had to figure out what I wanted to protect and email sits atop that list because if you have access to my inbox, you can probably gain access to everything else. The best way to secure an account, like Google's Gmail, is to turn on two-step verification. Basically you link your phone with your account and then when you login from a new computer, Google text messages a random six digit code to your phone that you have to enter along with your actual password. This means that even if your password fell into the wrong hands, without your phone, would-be attackers would be thwarted.
Apple's data syncing service iCloud offers the same protection, as do prominent social media services like Twitter and Facebook. So I enabled two-step verification in those places too. My particular bank doesn't offer two-step - shame on them - but many do, and the waiting for the text message and then entering the code is a minor hassle. It's worth the peace of mind. But that's only the very top security tier. Some sites are important, but not that important. And you might not want to introduce that level of friction into using them. For this trench, I decided to generate really lengthy passwords using a specialized piece of software called, logically, a password manager.
Three I've heard and read great things about are 1Password, Dashlane and LastPass. I chose to use 1Password because it's been around since 2006 and longevity seems like a good thing in the security industry. The key to a password manager is this - if you don't have to remember all the dozens of passwords yourself, then you can use really, really tough ones for each site you visit and it'll remember them all for you. The whole program is controlled by a master code, which they encourage you to make the length of a sentence and essentially uncrackable. Basically, you make a deal with yourself - remember one really, really long tough password in exchange for the software remembering the rest.
Now, I'm not going to make the picture rosier than it is. 1password is not the easiest software to use. You have to install the desktop program, then the browser extension and most likely an app on your phone. Then for every site you visit, you need to have it store that credential. Even more annoyingly, if you currently have weak passwords, you need to change those to something very difficult to guess. Then store that login in the software. Doing this over and over is quick but a hassle. For my 15-key sites, it took 22 minutes of concerted effort to complete. For other semi-important sites, I'm just dealing with them as I go.
I add a couple a day at most, so slowly my security hygiene is improving. But you know in some diets there are cheat days? I have cheat passwords. For sites that truly don't matter, where login is merely a formality, I have used and will continue to use the exact same easy-to- remember password. If someone hacks these accounts, nothing really bad can happen. I'd like to say that if you take all these steps you'll be forever safe from malicious forces, but that's not true.
In an effort to make customer service easier, many companies allow the security questions like where did you go to high school? - To stand in for your password itself. With our ever more Google-able identities and underground malicious services that traffic in Social Security numbers and other personal information, bad actors will continue to use this loophole to compromise accounts. But none of this actually sends me running from the web. All I really want is peace of mind that I did what was reasonable.
My attitude online is the same one I have off-line. Consider that we hand our credit cards to strangers every day and our private mail sits in our mailboxes untended. Theoretically we could take crazy precautions to prevent problems, but the odds are nothing horrible will happen, and people make that trade-off. Perhaps one day a fingerprint or Iris or facial scanner will completely replace all the numbers and letters that unlock our digital lives. But until then, a couple hours will go a long way towards making your data secure from criminals. Simple precautions will fend off the dumbest of them and nothing will stop the smartest.
GROSS: Alexis Madrigal is a visiting scholar at Berkeley's Center for Science, Technology, Medicine and Society and is the Silicon Valley bureau chief for the Fusion cable and digital network.