If you’re like most people, the news of the Heartbleed bug and how broadly its security flaw spread is worrisome enough. But the list of sites where you absolutely have to change your passwords looks daunting for anyone. You probably have to change passwords on your email, your Facebook, and maybe even your online dating profile, not to mention potentially countless online shopping sites (depending upon the depth and breadth of your need to shop until you drop).
If you’re like a lot of people, you probably think that you can come up with one indecipherable password, maybe one that isn’t even a word, and then reuse it because no one will ever guess. But the Heartbleed bug, like the hacks of Kickstarter and some Yahoo emails earlier this year, should have you questioning that assumption.
In these attacks, hackers don’t have to guess one password, or even try out a few easy ones (like the word “password,” which you should always avoid), to get into one account. Instead, they go after a site’s database of all users’ logins and passwords and, no matter how strong you think yours is, they’ve got it.
It could be bad enough when you lose one password on one site or for one account – but, for instance, in the Kickstarter case, they reset all users’ passwords right away and only two accounts were accessed. However, if you, full of hubris about your ingenious, unguessable password, used it on another site with another login name, then the people who snagged it the first time can get into your other accounts without even having to “guess” your unguessable password.
Create a System
So if you’re in the midst of changing passwords, now’s a good time to start a password system, rather than picking one new, universal password. Using this method, you can not only prevent most identity thieves from accessing more than one account if they do get your password, you can also make sure you remember what they all are.
1. Pick a meaningless combination of letters and numbers that you can remember. However, don’t use a maiden name (and especially not your mother’s), a child’s name or a favored pet. Pick the name of a beloved (or un-beloved) cousin twice removed, the name of a song you loved as a kid, or even the nursery school your best friend attended. Make up an acronym for the first line of your favorite novel or movie quote.
2. Replace a letter or two with a number or symbol (like a 5 – or a $ — instead of an “s,” or a 3 instead of an “e”).
3. Add a punctuation mark or two to the password at random.
4. Surround your random meaningful word with the name of the site for which it is the password, in a way that makes sense for you. If your word is “TGIF” (which it shouldn’t be!), and your punctuation mark an exclamation point (not the best one to use), then your Facebook password might be “face!TG1Fbook” and your Amazon password might be “ama!TG1Fzon.” For added security, you could also abbreviate the site names in some way that works for you.