In the last couple of weeks I've noticed a big uptick in the number of unsuccessful login attempts against some of my internet accounts, mostly originating from China. It's highly likely to be part of a wider campaign targeting user credentials leaked by some of the sloppier web services out there.
So now is a good time to refresh my advice on good password management and the safety net you can throw around your own accounts.
- Never use the same password across multiple services
This should be an obvious one, but so often I get asked to help remediate issues which arise from exactly this mistake.
- For sites or services you infrequently use or login into choose a totally random password and use the 'forgot password' link when you need access
If a service stores its login on your PC or smartphone there's no real benefit to you remembering it once you've logged them both on. Choose something long, random and untied to everything else you use, then use the password recovery option any time you need to actually login.
- Choose a password manager which doesn't sync your password file to the cloud
I'm not a big fan of password managers, however if you choose to use one pick an app which stores your password file locally on your smartphone or PC. Manually back up the file between your devices. Putting the key to all your services into the cloud and in the care of somebody else is the easiest way to undermine all the good things you've practiced elsewhere.
- Create a password scheme which is easy for you to remember but impossible to guess
Creating passwords for multiple sites and services which are both substantially different and easy to remember generally proves to be the most difficult part of the process. I recommend something based on something you're keen on. For example football teams and player names plus shirt number. To make it easy to remember pick the player or team name based on the first letter of the service you're logging into.
For example on a site like Expedia you might choose 'Everton' for the team name, 'Cahill' for the player name, the number 17 and a random non-alphanumeric symbol which you standardise across sites.
Given length, complexity and uniqueness that's going to be about as secure a password as you'll ever get.