On December 14, Yahoo announced that they had suffered a security breach, and hackers had accessed a billion Yahoo accounts. In the aftermath, I’ve been advising my clients to change their passwords. And that’s when the ugly truth comes out: many of my clients don’t know their passwords.
Today’s modern email programs, web browsers, and operating systems store passwords; so once you enter yours in, you may not have to enter it in again. Even if you get a new computer, in many cases the transfer process from one computer to another includes stored passwords. But what if you are setting up a new device without transferring data from another source? What if you want to change your password and you first need to enter in your current password?
The good news is that in most cases, sites that require a password have methods for recovering forgotten passwords, such as iforgot.apple.com. The bad news is that one method involves security questions, the answers to which may be even harder to recall than the original password in the first place.
Think about this question: “My Best Friend Growing Up.”
One solution to the password dilemma is to use the same password for everything. This is a terrible idea. If that one password gets found out, every account for which you use it is at risk. In fact, there’s a site that can track down whether or not your accounts have been violated: HaveIBeenPwned.com
There are third-party systems like 1password that promise, “Login with a single click. You never need to remember another password again.” I respect any service that allows you to be more secure, but I personally would prefer to keep track of all my passwords myself, instead of leaving it to the tender mercies of another company. Because if 1password ever got hacked… (in fact, there was a scare last year about that very risk!)
So what is one to do? I write down my passwords. But just writing them down isn’t enough. Let me address some comments that come up when I bring up password security:
MY COMPUTER/PHONE/TABLET STORES ALL MY PASSWORDS FOR ME.
That is a great modern convenience. It’s still a good idea to wipe that memory from time to time, especially if you fear your system may have been compromised by harmful software, or if you’ve ever given anyone outside access to your systems. And even if you’ve never had any of those issues, it’s a good idea to clear everything out and change your passwords once a year, if not more frequently.
I KNOW ALL MY PASSWORDS.
If that’s the case, then congratulations. You’re ahead of most people. If, however, this is because you use the same password for all of your accounts and devices, then now would be a good time to change that. Come up with some new passwords—and not just variations on the same one—and write them all down on the forms below. Think of something unique, not necessarily associated with you. For instance, instead of birthdays or family member names, think of the title of your favorite movie, or your favorite song lyric. It’s supposed to be easy for you to remember, but difficult for an outsider who just wants to get to your information.
I ALREADY HAVE MY PASSWORDS WRITTEN DOWN—AND YES, THEY ARE DIFFERENT.
Again, fantastic. But ask yourself these questions:
“Is everything written down in the same place, or do I have different books/sheets/files of varying ages, and it’s hard to tell what’s the most current?” It’s always a good idea to note the date you’ve added or updated a password, so you can be sure which is the most current.
“Is everything legible, and not just to myself?” Bear in mind that somebody else—a lawyer, a family member, your friendly tech support consultant—may need to read your passwords in your absence some day. If you hand-write them, make legibility your top priority. If you type them out, make sure to note what’s upper-and lower-case. Most passwords are case-sensitive.
“How difficult would it be to reset the password if what I’m SURE worked, stopped working for some reason?” Many sites and devices have options for resetting passwords, so forgetting yours may not mean the end of the world. However, the method some services use includes security questions, the answers of which may be tricky to remember, as well. To help with those protocols, we’ve included a sheet for those, as well.
MY HANDWRITING IS EXCELLENT.
Still, to be safe, when hand-writing your passwords and account numbers, do your best to distinguish:
It may seem like you’re back in grade school, but precise penmanship can mean the difference between access and being locked out.
DOESN’T HAVING EVERYTHING IN ONE PLACE MAKE ME MORE VULNERABLE?
That is a valid concern. Keep your list somewhere safe and accessible. If you’re worried, then print the forms (below) and only use the hard copy, and not a digital version which could get hacked. Share a copy only with somebody you trust, along with instructions should you not be available to help unlock your accounts and devices. If you have a will, include this document with it.
OFFICIAL PASSWORD RECOVERY SHEET (click to download)
OFFICIAL ACCOUNT INFORMATION SHEET (click to download)
Once you’ve printed out the forms, it may be the perfect time to come up with some new passwords. For some inspiration, I recommend reading Danish blogger Thomas Baekdal’s 2007 essay, “The Usability of Passwords.”
If you have any questions, feel free to ask for any advice you may need regarding anything mentioned above, or anything else. This is sensitive material, so it’s wise to take it seriously.
And if you take nothing else away from this post, please, please, don’t let your password be the word, “password.” ◼︎