Hands up how many of you use the same password for more than one website? How many of you use the same password for most or all websites?
Hands up how many of you use your actual email address when signing up for websites?
If you raised your hand for either or both of these, we need to talk.
Let’s say you sign up for a website, and you give them your email address (perhaps a gmail account), and then give them a password that happens to be the same as your gmail password. It is now trivial for them to hack your Gmail account and spam your friends.
Even if you only sign up for reputable websites, they can be hacked, as happened recently with Gawker. Anyone who used the same password both for their email and for Gawker was immediately exposed, and their email address probably found its way onto hundreds of spammers mailing lists.
Additionally, let’s say you use several passwords (my previous approach). You then run into the problem that you often forget which password you used where, so you have to try several of them (potentially revealing all your passwords to an unscrupulous website).
Another annoyance is that some websites have weird requirements for passwords, often they must be at least 8 characters in length, and contain a mixture of letters and numbers. If your default passwords don’t meet these criteria then often you have to modify them somehow, or pick new passwords entirely, and then of course you can never remember which variations you used for particular websites.
So what to do? A simple approach I use, which isn’t foolproof, but which is a big improvement over what most people do, is to base my password in some way on the domain of the website I’m visiting.
For example, let’s say you are coming up with a password for plentyoffish.com. One approach you might take is to start with the last 4 letters of the main part of the domain in reverse order, capitalizing the final one. And then add an additional 4 characters that you’ll always remember – ideally a combination of letters and numbers. Here are some example passwords following this scheme (using “5yty” as the final 4 characters in each case):
While initially it might take you a few seconds to figure out the appropriate password for any given website, with a little practice it quickly becomes second-nature.
The good thing about a password scheme like this is that these passwords will meet the criteria of even the most fussy websites, because they are 8 characters in length, I’ve never seen a website that required more than 8 character passwords. Additionally, the passwords contain a mixture of upper and lower case characters, and numbers.
Now please don’t copy the exact approach I describe here. Perhaps instead of taking the last 4 characters of the domain, take the 2nd, 4th, last, and 2nd last – or something like that. It doesn’t matter, so long as you remember it.
Of course a weakness of this approach is that someone looking at your password for their site might be able to reverse engineer your system, but this involves a lot more work on their part than if you use the same password everywhere.
If you are concerned about this you could make your system more difficult to reverse engineer by, say, incrementing the letters you take from the domain name, so “abcD” becomes “bcdE”. Of course, this is at the cost of making it more difficult to figure out the appropriate password for an appropriate domain.
And what about having to give websites your real email address? Simple! Don’t give them your real email address!
33Mail gives you your own domain, like @john.33mail.com. Next time you visit a website that asks for your email address, instead of giving them your real email address, just make one up especially for them. For example, if the website is blahblah.com, you might give them firstname.lastname@example.org.
You don’t need to do anything else, 33Mail will create an alias automatically the first time they try to send you an email, and we’ll forward any emails they send to you.
Later, if blahblah.com start to send you emails you don’t want, or even if they sell your email address to a spammer, just click on the link that we add to the top of every email we forward, 33Mail will kill their alias, and they won’t bother you any more.
Sign up for 33Mail.com to create a new email address for each website.
PS. You’ll also be able to figure out which website sold your email address so that you can warn other people!
Your last sentence in this post, about figuring out which websites might be selling our email addresses, got me thinking… Is anyone collecting any data on which sites are doing this? The collective experience of the 33mail users might be useful in the war against spam!
Definitely an interesting idea Bob. Given that many users use a sites name as an alias we could create a list such as this using commonly blocked alias names, once we have the permission of our users to do so. Something to go onto our already too long todo list 🙂