Simple Security Practices

My Facebook feed started blowing up today with friends warning everyone to change their Gmail passwords due to a leak of 5 million passwords.

This struck me as very odd since the passwords shouldn’t be stored in plain text, at worst I would expected some hashed version of passwords to be leaked.  The one exception would be some man in the middle attack where maybe a custom Android keyboard or app was copying info.

Still it’s a good reminder to use strong and unique passwords on all of your sites.  You can easily use password managers like Lastpass or 1password which are both fantastic for easily creating complex and unique passwords.  Personally I just build unique passwords based on patterns.

Here is an example of what I mean.  Let’s say you want to build passwords for outlook.com and github.com  We want them to be unique but also easy to remember.  How do we do that?

Note that the order here doesn’t matter, pick your own method, it’s the idea that counts.  Also this isn’t meant to be the MOST complex password, it’s just meant to raise the effort of guessing or cracking your passwords to a level that is fairly high while also using unique passwords for every site without it being super complex.  I taught my mom who is almost 60 this method so you can learn it too.

  1. First we’re going to pick a number.  We can do something as simple like your birth year.  Normally this is a big no no, but in this situation it’s out of context and really doesn’t matter.  So lets say you were born in 83.  Your password for both looks like this so far 83
  2. Now let’s add the last 4 letters of the domain + the TLD (top level domain) to these passwords.  Your passwords for outlook.com and github.com now look like this 83look.com & 83thub.com.  So far this is pretty easy, you should be able to remember this.
  3. Now we’re going to add a word.  I’m going to go with a name actually that is always staring at me from my monitors bezel and add Samsung.  Normally this is a no no, but again, this is out of context.  We’ll also add a & in between to add just a little more complexity while also capitalizing the first letter of Samsung.  Your finished passwords are 83look.com&Samsung & 83thub.com&Samsung

Both of these are very easy to remember passwords, but they’re both very unique and strong.  The only issues you may encounter are some websites may complain about the length or complexity.  I’ve found banking websites of all places are the most likely.  In those cases I usually have a backup that is less complex, but it’s definitely annoying.

Stay safe!
Update: It looks like I was right, the article has been updated to say

these may not, in fact, be Gmail passwords, as original reports claimed. Instead, it looks like these are passwords leaked from other web sites over the years that were associated with Gmail addresses.