When I meet with a new client, I ask them three questions:
Without telling me what your personal email password is, how many characters is it?
When was the last time you changed your personal email password?
Do you use your personal email password on any other online websites?
My clients usually look crestfallen after I ask them these questions. However, they are not meant to shame them or make them feel guilty. As they often respond with, “10 characters”, “I can’t remember when I changed my password”, and “Yes, I use this password on a lot of my online accounts.” I gently encourage them to consider changing their personal email password to something a bit stronger.
The Why
As discussed in the Nightmare Scenario, your personal email account holds the keys to your online kingdom. Most, if not all, of your online accounts use your personal email. Some of these accounts have forms of payment associated with them. If someone gets unauthorized access to your personal email account, bad things can happen to your other accounts, especially those with a credit or debit card stored for future use in your account settings.
The Elements
The longer the password, the better. Good for security, bad for your thumbs to pound out on your mobile phone’s glass screen. I believe there are two solid methods to create long, tough-to-hack passwords/passphrases:
A long string of letters, numbers, and special characters: VTTcuAN3cr*fj@TV3@29xDzZ$sqfM8
Three or more random words, capitalized, with a number included: Humid-Deacon2-Revolt
See for yourself. Go to www.howsecureismypassword.net and type in your personal email password. It will show you how long it takes an adversary to crack it. Then copy/paste my password examples into that site. Noticeable difference, perhaps?
Don’t be overwhelmed with this daunting mindset. You won’t have to tax your creative brain to come up with these long passwords. I will be talking about a software tool that generates them for you with a click of a button in the next newsletter.
The How
Locating where to update your password varies greatly with each different online account. Here’s what I do to efficiently update my passwords without a lot of hunting around:
Click the Forgot Password link on a website and enter your email address on the next screen.
Your inbox will then receive an email from your website to click a link to reset/change/update your password. This long weblink will take you directly to the password change screen.
Enter your current password, then paste in your auto-generated long password or passphrase in the next two fields, new password and confirm new password.
Click the Save button to lock in your changes.
The When
Twice a year I change the following:
My clocks, the whole spring-forward-fall-back weekend thing
My smoke detector batteries, because that’s what my father taught me
My windshield wipers, because I don’t like streaks on my windshield
My toothbrush, because I’m a fan of personal hygiene
My passwords, because I want to avoid the Nightmare Scenario
The Message
It is dangerous to use one password for all your online accounts, especially one that is not very long in length. It is dangerous to not update your passwords on a regular basis. It is dangerous to think that your accounts won’t be hacked on those giant websites with tens of millions of users.
By taking deliberate, efficient steps toward updating your account passwords, you will significantly decrease the odds that your account will be among the millions who get compromised, attacked, and exploited by adversaries around the world.
Thanks very much for your time. I do appreciate it,
— Chris