There are lots of new twists I've meant to go into, at some point: "strong" versus "weak" passwords, Gmail versus other online services, the pluses and minuses of online password utilities (I use and like LastPass), Google's new "state-sponsored hacking attempt" warnings, and on through a very long list.
For now, here is the single most important thing you must do today, if you're concerned about these hacking stories -- as you should be.
Today's Must-Do List: Make sure that any account that matters to you has its own password.
For me that means, as a minimum: email, banking, credit cards, medical info, investment accounts, Twitter, Facebook. The standard should be: anything that would cause you loss, embarrassment, inconvenience, harm, or worry, must have its own password. If it doesn't, you're asking for it to be hacked.
I don't care that my local OpenTable account (for example) has a weak password I've used elsewhere. No harm, no foul if it gets hacked. It's different with banking, email, etc.
It matters much less that each "this account matters" password is "strong" or "weak" than that it meets these two standards:
- You cannot be using it for any other online account; and
- You cannot ever have used it for any other account.
I quoted a Google official (and friend) on the logic behind this step in my original story:
"Using an important password anywhere else is just like mailing your house key to anyone who might be making a delivery," Michael Jones of Google said. "If you use your password in two places, it is not a valid password."The hacking of my wife's email account almost certainly happened because she had used that same password somewhere else. There are lots more angles here, but let's save them for later. For now, make sure that any account that matters to you has its unique password.
You're welcome. (Note: I did this after having been out all day, and hadn't yet seen Rebecca Greenfield's very good Atlantic Wire item to similar effect.)
This article available online at: