TechCrunch runs down step-by-step exactly how a hacker broke into Twitter employees’ accounts and gained access to over 310 confidential company documents (and generally caused them hell). Lesson to be learned: Use strong passwords (and DIFFERENT passwords for every service you use), change them often, and use impossible-to-guess secret questions and answers. I recommend (and use) KeePass for helping you do just this.
KeePass is essential. If you’re going to be safe online, you have to use different passwords for every site. Unless you have a really simple (and therefore, unsafe) way of creating memorable passwords, you can’t possibly remember them all.
Obvious pro-tip: Use Dropbox to sync your KeePass database.
I use both KeePass and 1Password depending upon the OS. It is probably obvious to most of you but:
1. if you can create your own secret question(s) use KeePass or 1Password to create the question. make sure you generate a strong password as your question
2. regardless of the question you do not need to answer truthfully so again, generate your response as a strong password.
I think it does not really address the issue that relying solely on passwords are not really the solution. Bruce Schneider posted a reference that having strong passwords for online accounts does not really achieve the desired result, http://www.schneier.com/blog/archives/2009/07/strong_web_pass.html
However, for something like company confidential information stored and shared on a service like google apps/docs, it may make sense to have dual factor based authentication, a password and something else. So something as basic as an SMS code texted to the registered user or only authorised devices (eg specific browsers) are given access or even one of those rsa type time based key thingees.
What about Macs ?? KeePass seems to be happy with windows only version …
@chandi: I use KeePassX. It’s a port of KeePass for *nix systems (Mac included). I actually prefer it to the standard Windows only version of KeePass.
@duanehubbard: Thanks there! I use the standard Keychain Access … I hope this is better, anyways I will give it a try!
What’s the general feeling of passpack.com (or similar web based stores)? Security should be the same (as in the encryption of the passwords), yet keeping the ‘database’ on a 3rd party server somewhere just seems wrong.
But is it? It’s already encrypted before it’s sent.
On the dual factor topic, myopenid.com will call you (if you want) to verify a login. Wouldn’t it be nice to be able to choose your security/identity provider for ‘important’ things (seems like the sites that *accept* openid are all low-security).