If there’s anyone who ought to know the best way to keep our online family jewels out of the hands of people who shouldn’t have them, it’s Tim Berners-Lee — the guy who invented the web.
What does he recommend? See below:
The best defense against hackers is….paper.
by Sir Tim Berners-Lee*
There is one foolproof way to protect your information online. You can’t be tricked into sending a piece of paper to hackers on the other side of the world. To keep your passwords safe, just write them down on a piece of paper and put it in a safe place like your wallet. You can’t hack paper. Security mistakes happen when people are using systems they don’t understand.
So a lot of computer-security experts have been recommending password managers like Dashlane, 1Password, Lastpass, and Roboform. They generate and remember your passwords for you. You use one master password to access them. The information is saved onto your devices and powerfully encrypted so it’s almost impossible to hack.
Lorrie Cranor, a computer scientist at Carnegie Mellon University, says writing down passwords is a perfectly sensible security strategy. Managing passwords on paper is endorsed by a number of other security experts, including well-known security researcher Bruce Schneier.
If you forget your password manager’s master password, the rest of your passwords are gone forever. A lot of people save their master password in their computer. That creates an opportunity for hackers to grab their data.
Why do I need so many passwords? Password reuse is bad because it means that compromising one site can expose you to attacks on other sites too. Your primary email address, your bank, your credit card, and your retirement account probably need their own passwords. If you use a cloud storage service like Dropbox or iCloud, your passwords for those services should be unique. You should be able to get along with few enough passwords to fit them all on a business card.
Finally, write down as little identifying information as possible. Don’t write down your username. Write “E” instead of “gmail” and “B” instead of “Bank of America.” Hopefully, if your wallet does get stolen, the thief won’t realize he’s holding the keys to your online identity — at least until you’ve had time to change your passwords.
Don’t leave the paper somewhere where people can copy it. It shouldn’t be a Post-it note on your monitor or even under your keyboard. Store it in your wallet, or in an unmarked folder in your filing cabinet. You might want to consider keeping two different piece of paper: one at home that has every password, and a second one in your wallet that just has the passwords you need every day. That minimizes the damage if you happen to lose your wallet.
If you do use a password manager: First, make sure you make regular backups of your hard drive (you should be doing this anyway). Some password managers (like 1Password) don’t store an encrypted copy of your passwords on their servers. If you’re using one of those programs, then a hard drive crash could mean you lose your password data forever.
Second, memorize the password to your primary email address. There’s always a small risk that a technical snafu or a forgotten master password will lock you out of your password file. If that happens, you’ll need to activate the password-recovery features on all the websites you use. Most websites do that by email. If your email password is stored in your password manager, you’ll be out of luck.
Most password managers allow you to synchronize your data across multiple computers. That’s a convenient feature, but it needs to be used carefully. Never log into your password manager from devices you don’t trust.
What else can I do to secure my online accounts? Two-step verification. Two-step verification. It’s always possible that someone will find your password sheet or crack your password manager and try to log into your accounts. That’s where two-step verification comes in. On most sites, the second authentication step involves texting a security code to the user’s cell phone. That improves security because a hacker who gains access to your password would also have to get ahold of your cell phone in order to compromise your account. Most leading internet companies and many major banks offer two-step verification.
*Oh, yeah — he’s British, and was knighted for his contribution a while back. So it’s Sir Tim to his compatriots.