I usually avoid talking about the specifics of my choices in securing assets, but I figured at this point I may as well, since I am pretty sure of my setup.
This was in the context of discussing another person’s WordPress blog (on DreamHost, of course) getting hacked.
So I wanted to talk about the problems of password management and password entropy and password reuse. So I did.
Another thing that occurred to me this morning while reading your blog post about this hack, tommasz, is that I recently improved my total online security presence by signing up for a password management service and forgetting almost all of my other passwords.
The service I chose was LastPass. To sign up for any service you have to do the research and see if you like their tech and their business model. I chose LastPass because it has apps for both Android and iOS (to use them, it’s $12/year, for mobile access), as well as for most major operating systems and most browsers (I use the IE, the Chrome and the Firefox plugins). Also their security model seems decently secure for an online-based service.
But what happens when you start using these services (there are others that are equivalents to LastPass, so I’ll talk about them as a sort of class of service), is that you can start converting accounts over from not-tracked to tracked. And as soon as the site is tracked, you can effectively forget the password. Or, better, change the password to some random string of numbers, letters and symbols, let the service remember it for you and forget it. And make sure that each password is different, which foils xkcd password reuse-style attacks where someone harvests your password from one site and tries it on another site.
At this point with LastPass, every account I have uses a different entirely random password and for 99% of logins, it’s automated through a browser plugin or at least I can use copy from plugin and paste into login window in some custom integrated app and never see the password myself. And new accounts just go in the LastPass oubliette.
Just make sure your password for the password management service is highly random and long enough so you can just barely remember it (or maybe use a memorizable passphrase, again a la xkcd).
As a side-note, my solution to this prior to LastPass was KeePass.
Also, for financial institutions that offer it, I have also opted into using a SecureID-type physical token to help secure logins – if you are interested, LastPass offers this service too (including a printable option). And I also use the 2-factor security enhancement that Google provides.