Passpack: Protecing Your Passwords Online

Over the years, my password schema has evolved to be more and more complex. With huge, professional services like Sony PlayStation Online and Steam being compromised by hackers, it seems your passwords are not safe anywhere online. This means using the same password for everything you do just isn’t smart. I have essentially three levels of passwords.

Level 1

Totally insecure but easy to remember. This is for all the services that I sign up for on a whim and don’t contain any sensitive information beyond my email. You could argue that I shouldn’t ever use an insecure password, but I’m not too worried about someone hacking my LazyMeter account (task list), for example.

Level 2

Slightly cryptic, but used often enough that I can remember it. This one has a more than 5 characters, a combination of letters, numbers and capitalization. I’ve since added the first two letters of the domain to the beginning, so that the password is unique to each service. This is great for sites that I visit regularly and on multiple devices: home computer, work computer, my phone, etc.

Level 3

Totally random, the more characters the better. I use this tool to get a long, random string for any service that requires my credit card or social security number. You could argue that I should use this level of complexity for all my passwords and so I am heading that direction.

Obviously my brain could never remember a 14 letter random string of letters, numbers and punctuation. Saving this information in a text file on my computer kind of defeats the purpose. Between browsers saving form information and sites leaving cookies, I usually don’t have to type them in. But, what if I login from a different computer, or clear my cache? Or give my login to my wife?

For that, I’ve used Passpack without issue for at least 2 years. Although there is always the risk that someone could compromise Passpack and suddenly have access to all my passwords, I’m actually less worried about that. They use multiple levels of government level security to keep your information safe. I’m much more worried about companies like eBay or Sony who are not only larger targets, but also less worried about your security. With Passpack, that’s pretty much all they do.

I’ve since started using it at work and it has been a boon for productivity. Before we were storing passwords in a database and looking them up with phpMyAdmin. Now that everything is in Passpack, it is easier to search, available remotely, and easily allows us to share individual passwords without giving access to the entire set. This is perfect for remote developers or plain new staff that we don’t quite trust yet to have every password for every client we’ve ever had.

The best part: Passpack is a freemium service. That means the basic account is free and you only pay for access to more storage and other features. For most individual users, the free account is all you need.

Installing WordPress

A few tips:

  • Install WordPress in its own directory, below the root, with a unique name. I tend to use a password generator to create my directory name. Although the location of your folder can easily be found in the HTML of your site (all your CSS and image files will be inside it), this will be a smaller barrier against scripts that look for WordPress at the root or in common folders like “blog”, “wp” or “wordpress”. Keeping WordPress out of the root will keep the install cleaner and allow you to have sub-directories and other files in your root that won’t conflict with WordPress.
  • Do not use admin as your username. Previous versions of WordPress forced you to use it on first install, but with 3.0 you can now choose your own username. It doesn’t have to be crazy, although the more complex it is the safer it will be, but anything besides admin will be an improvement.
  • Do not use an English word as your password. Again, use a password generator. In addition, consider using a password repository to store your password in case you want to access your admin from another computer. But trying to use a password that is easy to remember probably means it is easy to crack.
  • Install the plugins and themes you want, remove the ones you don’t. Although the default WordPress theme (Twenty Ten), akismet, and Hello Dolly are probably very safe, its good practice to just remove any files you aren’t using. Don’t worry, you can download them again if you really want them. But by keeping them off your server, its fewer files that you have to worry about updating and if you ever run into security problems, you won’t have to worry about checking them.
  • Update your comment settings. You’ll probably want to treat most posts spam, only allow comments from people who have posted before, and generally make it hard for your blog to get filled up with spam. Get an akismet API and activate the plugin. Once your blog gets popular, you’ll be happy you had it all ready to go first.
  • Setup your permalinks. Despite it not being an option, category/postname seems to be the most recommended option for SEO purposes. Its also the most readable for humans. No one cares what the post date was, but if they want to find more posts in that category, its easy for them to do by manipulating the URL. It also allows people on other sites to trust the link more which means they are more likely to click on it.