I regret to say that every day I get a message or two like the one below. "Regret" because of the churn and hassle the people who write are going through; regret because I generally intend to do something with or about the accounts - write a post, figure out better answers -- but generally something else comes up.
So let me just put up the latest email-distress account more or less the way it just came in. For those joining us late, three points of background:
- For how and why I got an immersion in the world of hacking and passwords, see this report of the time a West African attacker took over my wife's Gmail account and zeroed out six years' worth of correspondence.
- For the importance of Gmail's "two-step authentication" system, which the reader refers to, see this and this - but mainly turn it on now. If you feel brave, you can wait until after you read the message below.
- For background on one question the reader asks, about whether he needs to change an entire suite of "reallllly long passwords," consider these truths of password-ology: The longer a password (and most systems now take very long ones), the harder it will be for an attacker to crack through a "brute force" attack. After all, each additional character in a password can increase the number of possible combinations nearly a hundred-fold, if you allow for upper and lower case letters, numbers, special symbols, etc. On the other hand, really long passwords can be easy for you to remember, if they're based on some mnemonic - an entire verse of a song, a list of streets in your hometown, anything.
The reader says that he has applied these principles by making his passwords loooonnngg, based on a familiar-to-him phrases, and then adding minor variations according to a principle. To give a very simple example, an Apple password could be something like:
TheRainInSpainFallsMainlyOnThe!Apple&Plain then, for Amazon
TheRainInSpainFallsMainlyOnThe!Amazon&Plain and so on
This wouldn't be a good combo because anyone who guessed the first four or five words would have a key to the rest. Still you get the idea.
He is wondering if his whole approach is now at risk.