More on Passwords and Online Security

Posted by JD 12/20/2014 at 01:00

As another online website got hacked today and leaked userids, email addresses and passwords, I started thinking about what would solve this issue basically forever.


  1. don’t use the same password anywhere online. Always unique per login/website.

  2. if you can, use a unique login for every online identity. No need to let anyone connect-the-dots or get a hint about your email login from a blog website. This is more important for logins to financial services. I couldn’t tell you my brokerage userid – don’t know it – it is random.

  3. if you can, use a unique email address for all identities. These do not need to be anything more than email aliases, since receiving email and redirecting it to a real account is easy. No need to support “send”. If you don’t know what an email alias is, don’t worry.

  4. Definitely have a few different email addresses – 1 for social stuff online and a different 1 or 3 for financial stuff. If the social email gets hacked, that shouldn’t impact your financial email accounts at all.

  5. Lie on all password reset questions. Never tell the truth or the same answer for different websites. Keep your lies inside a password manager.

How to do these things easily? Use a password manager. Try it for a week, see if you don’t become addicted. More on KeePass

There are other uses for password managers too. Well worth your time.

If we do these things, no need to panic over having any social/google password db out there. Even if it were leaked as plain text, I wouldn’t care. It doesn’t matter. Don’t let any social website know your real email address or a password used anywhere else. Unique, random matters.

Prefer F/LOSS security tools over commercial offers. Historically, commercial security vendors have mislead their users or the marketing department simply lied.

keepass and keepassx are good. The source code is available for download and review by anyone. Security of the tool is not through anything hidden, just good encryption which currently cannot be broken when normal best-practices are used.

KeepassX is amazing.