'2 tips for being a bit more secure online: a New Years Resolution of sorts'

Normally, I don't do New Years Resolutions. I've tried a few times, and once I made it past Jan 15th. Just once. So here's an easy and useful one that anyone can - and should - use.

**Don't use just one password for sites on the 'net. **Actually, I'll extend that to "Don't use a few simple passwords for all your sites on the 'net".

There is a really simple solution to that one. Make up a unique password for each site you use. Pity (almost) no one ever does it. Making up a password for each and every site is a nightmare - you either need a lot of post-it notes on your monitor, or you need something like LastPass or 1Password. I don't much like either of these. So I'm taking a page out of Steve Riley's book. Well, blog post's and presentations, anyway.

So, here's a few things to keep your online self a bit safer this year (and next year, and the year after):

First, split your sites into categories. Sounds complex. It's not. Here's the categories:

  • Really important stuff

  • Everything else

Really important stuff are things like Bank logins, Email logins (being thats how you recover all the other passwords!), and anything else you have which would seriously screw up your real world life if someone got in.

Things which might be in there: Facebook, Twitter, LinkedIn etc. This depends on how important these are to you. Twitter might be in for me. Facebook I couldn't care less about. Above all, try to keep the list short. We'll be securing everything - we are just identifying things which are "top secret" rather than "your eyes only".

For each of the important ones, pick a nice, secure passPHRASE. Make them have spaces if you like, a number and one uppercase letter, so it satisfies the fairly useless rules that most sites enforce. Above all, make it quite long, and make it totally unique to the site. There should only be a couple of these anyway, and these are sites where, if someone broke in, you would be seriously fucked.

For example: When 1 grow up i want to be a clown (might be a bit long to type a lot, but you get the idea. Sorry, Sas, if you are reading this). Fairly easy to remember. VERY long, which means harder to crack.

It's rather like using a special lock on your safety deposit box, rather then the $5 thing you use on your gym locker.

For all the other sites.

This is the fun bit. Make up a phrase. The one Steve Riley uses in his presentations is "My dog and I go to". It's nice and easy to remember. Your one might me "When I drink coffee I like to". Whatever. Make one up. **REMEMBER IT. This is only one thing you need to remember. **It doesn't need to be super long - 4 words is quite enough.

Then, when you go to a new site (or go back to an old site), add the domain on the end. eg:

  • My dog and I go to amazon

  • My dog and I go to twitter

If your memory is good, you could use

  • My dog and I go to buy books (for amazon)

  • My dog and I go to the park (for Facebook - park = social, get it?)

Personally, I find these overly complex. However, this makes a long, unique password for every site you use, and once you remember your phrase, you are in - and it's a pretty simple phrase to remember (I hope!).

It's also very long, which makes it hard to crack in a brute-force attack (which most are), and unique to every site you use. If you use sites which "require" a number, throw one into the core phrase (My dog and 1 go to for example).

Bonus Points

Password Recovery. If this is a site you use a fair bit, try the "I forgot my password" function. If they email you your password, in cleartext, to your email address, I suggest you email their admins and give them a serious amount of shit, as this is unacceptable.

For them to be able to email it to you, they have to store it in a way that can be be read back. If they do this, and someone hacks their servers (AHEM: all the Gawker sites), then whoever got in can read your password, too. Bit of a problem if you used the same password all over the place. Even worse if your username is your email, and you use the same password for that site and your email....

If they just email you a new password, thats ok. If they email you a link, which you go to and reset it, thats fine too. Just not the original password. The same goes for registration forms - some sites will email you your username and password when you sign up. Urgh. Just. Say. No.

So, it's all quite easy, and not at all scary. Have fun with it - humans tend to remember fun things a lot easier than complex, boring stuff.

And finally, lets go with the magic of XKCD to close