Passwords are the nuisance of the modern computing age, yet they are one of the linchpins necessary to keep your information safe. I am often asked, “how can I manage my passwords?” Here’s what I’d tell my mom, who recently asked just this question.
Most of us have dozens, if not a hundred or more personal online accounts. Focus your “create-a-really-strong-password” energy first on your accounts with your banks, your email, your social networks, and your cloud providers who store personal information (think Evernote, Dropbox, iCloud).
Why these? Your financial accounts control your money. Your email account is needed to reset passwords. Your social accounts link to your identity, and in many cases, they are also used to login to other web sites. Your cloud storage accounts may have documents and contacts with privileged information.
So just how do we manifest this “create-a-really-strong-password” energy? We have a few tips to get the gears working so you’ll be on the right track with your password security for Tiller and around the web.
1. Choose complex (hard to guess) passwords that are unique for each account.
You don’t want to use the same password with your bank, your music subscription service, and your local gym. I can guarantee that your local gym’s systems are less secure than your bank. If someone hacks or discovers the password you use at your local gym, you don’t want them to also have access to your bank data.
The challenge is to create a unique password, but also one that you can remember. Your birthday, hometown, address, phone, or the name of a child or family member are too easy to discover and guess.
Struggling to think of a good password? One idea is to think of an association you have with a brand, and then create a formula for using that association. For example, I associate Madison Park when I think of Bank of America, because that’s the neighborhood where I opened my first bank account as a kid. To create a unique but memorable password, I might go with MadisonIsWhereItBegan. In contrast, the Wells Fargo brand conjures up the iconic wagon, which reminds me of summer camp as a kid. Maybe my password for Wells Fargo could be 12HiddenValley since I was 12 went I went to Hidden Valley camp with all its horses and wagons. Ideally, you want a combination of uppercase, lowercase, numbers, and special characters.
If you want a tool to help you store and recall passwords, we are also fans of the 1Password service that works with Mac, Windows, iOS, and Android.
2. Enable two-factor authentication on your critical accounts.
Every major email, social, and cloud provider offers two-factor authentication as an option. Many banks do too, and those that don’t are working to enable it. Not sure what we mean by two-factor? Google has a helpful overview that explains two-factor, and adding it to your Google account is a good place to start. https://www.google.com/landing/2step/
Curious to know which organizations support two-factor? Check twofactorauth.org for an updated list.
3. Set up a unique verbal password on your mobile phone account.
When you call in for help, many cell phone companies will identify you by the last four of your social security number. We recommend using something different because your social security number is widely used from doctors offices to loan applications. If you’re going to use your cell phone for two factor authentication, you need to make sure your mobile phone account is secure. Set up a unique verbal password or PIN that your cell phone provider can use to identify you when you call (and of course, make sure your web password is unique for your mobile phone account too).
4. Never give your password out to anyone by phone or in person.
For example, your bank is never going to ask for your website login password over the phone. You may have a separate password you’ve set-up with them to verify your identity when you call, but this isn’t your web password. Similarly Amazon, Microsoft, Apple, and others will never ask for your password on the phone. They’ll use other information to verify your identity (like your address and the last four of your credit card), but they’ll never ask for your web password.
I personally have a scammer purporting to be from Microsoft who calls me regularly to let me know my Windows account has a virus. He would like my Windows login credentials and also my bank account details so I can pay for a fix. Like any good con artists, he’s endearing. In this case, I don’t use Windows, and he’s not from Microsoft.