So stop focusing on secure passwords. Think about secure identities. By this I mean it’s time uncouple your real identity – the one you use in three-dimensional meat space -- from your online identity. You should assume your public accounts and even your corporate email are going to be hacked, and put all your effort into protecting the things that really matter: your banking credentials, your cloud data, the email account where your password recoveries are sent.
The simplest solution: Create an email address you use only for those accounts, ideally on a domain you own (and use only for that purpose). The $12 a year you’ll spend on the domain, plus a few bucks a month for some email inboxes, is well worth it. Use a unique address for each account you want to protect. Don’t publish it. Don’t share it with friends. Couple it with a looooong username you can remember, like a song lyric you’ve memorized. Or the first letters of each word in that lyric – like this: PYOABOARWTTAMS@noneofyourgoddamnedbusiness.com.
Can you identify that song? (I picked an easy one.)
Do the same for your password. Since you’ll only have a few to remember, it won’t seem quite so painful or impossible. And let the rest of your accounts go.
Is this a perfect solution? Hardly. Someone could eventually identify that domain and brute force that email address. But it will be a lot more work, and because the first thing they’ll use it for is spam, you’ll have a clue it’s been compromised when the first Cialis ads start showing up in your junk folder. Then you’ll know it’s time to pick a new one.
You might think, Twitter schmitter – who cares if someone has hacked my account? Well, that could be the first step in unraveling the rest of your identity, as Wired’s Matt Honan can tell you. That’s why it’s time to hide in plain sight, and to start separating your real identity from the ones you use on Twitter, Facebook, Tumblr, etc. Do it now, I’ll wait.
As a journalist, I’m kinda stuck. I need to be a semi-public person, because I need to give strangers an easy way to reach me in order to do my job. But you may not have to.
I’ll bet my readers have better ideas about how to deal with the “security is dead” problem. What would you do?