My article on Thursday about password hygiene prompted many e-mails from readers, some detailing their own struggles with online security, others ready with tips the experts missed.
One reader, Sean Hulbert, e-mailed to say he had spent 20 years in the security industry and occasionally “taunted hackers” to crack his passwords. “To this day, I have not been hacked,” he wrote. His secret? The Alt key.
In addition to the experts’ tip that a long passphrase — such as a song lyric or movie quote — should be used instead of a password and using only the first letter or letters of each word in the phrase, Mr. Hulbert said he makes his password stronger by translating the result using the Alt key. For example, assuming the site allows passwords with special characters, he might take this line from the film “The Princess Bride” — “Hello. My name is Inigo Montoya. You killed my father. Prepare to die.”— and convert it into the 15 character password: “HmNiImYkMfPtDie.” Holding down the Alt key (on a Mac) as you type would make that password: Óµ˜ˆˆµÁ˚Âƒ∏†Îˆ´.
Another reader, Roger Bohl, wrote to say he memorizes the same basic password for every online account but tweaks it for each account by adding two or three letters based on his own simple algorithm. For example, he may start with “HmNiImYkMfPtDie” as his password for every account. Then he may add three or more letters based on the name of the vendor but amended slightly — maybe three letters down from the alphabet. So for Amazon, he may convert Ama to Dpd (“D” being three letters down the alphabet from the letter “A”, “p” being three letters down from “m” and so on) to make it: HmNiImYkMfPtDieDpd. For Chase, it might be: HmNiImYkMfPtDieFkd.
“Not unbreakable,” Mr. Bohl conceded. “But better than using a common password and easier to use than a list — and you don’t have to carry it with you.”
Many readers expressed frustration with the suggestion that they needed different passwords for every single site. “Your suggestion to never use the same password twice is impractical,” wrote Daniel Dunn. “Why not, instead, reuse the same password in contexts where it really doesn’t matter if I am hacked?”
Indeed, while many experts advise against it, some concede that they will use a “throwaway” password for sites that do not store personal or financial information, like a recipe forum.
“I use a common browser/e-mail/password combination for what I perceive as low or no risk uses,” wrote Steve Patriquen. “I then ratchet up on complexity of my security based on the escalating risk.”
David Ziegelheim appreciated the tip about using different Web browsers for different Web activities, but thought it could be taken one step further. “It should really be coupled with a recommendation to delete all cookies on a regular basis,” Mr. Ziegelheim wrote. “For a browser dedicated to financial transactions the cookie should be deleted minimally every time the browser is closed.”
Those most critical of the article were — unsurprisingly — password protection software vendors like AgileBits, which sells 1Password software. A
gileBits took issue with the fact that both cybersecurity experts cited in the story, Jeremiah Grossman and Paul Kocher, said they did not trust password protection software because they did not write it themselves, and because if their computer is stolen, hackers could access all their passwords.
“There is a very, very small
handful of people who can get away with saying that they will only trust a password management system that they build themselves,” the company wrote in a blog post. “You should definitely not trust a password management system that you develop yourself.”
As for what happens to passwords if a computer is stolen, AgileBits said it designed its 1Password software with that possibility in mind. “We’v
e made it very, very difficult for password cracking systems, such as John the Ripper, to recover your Master Password.”
The only people more angered by our password guide than AgileBits were devotees of Bruce Schneier, the security technologist and author.
“I remain skeptical of any article in t
his space that doesn’t quote or at least refer to Bruce Schneier,” one reader wrote on Twitter. (Indeed, it should be noted that Mr. Schneier designed Password Safe, a password management software that, like LastPass, SplashData and AgileBits, stores passwords in an encrypted file that you can unlock with one master password.)
Finally, many readers (and even my editor) said that after hearing aboutmy own harrowing experience with my computer’s webcam, they too were now covering their webcam’s lens with masking tape.