An experiment in password security

Back in 2012 I published a few educational articles reviewing and promoting the use of password management software. The message in short: we should all be using separate, randomly generated passwords for each our online accounts that are not written or recorded in non-secure online locations and are changed periodically. One of these articles is still available on the NJCPA  technology blog. That advice is still valid today.

At that time I undertook an experiment. I programmed all of my online accounts – about 200 in all – to use randomly generated password of 8 to 12 digits consisting of small and capital letters, numbers and symbols. Additionally, I programmed them to be changed by Lastpass prompts at least once each year. The strategy works flawlessly for me for those accounts.

However, I left one online account with a lower level of security. My Facebook account kept the same randomly generated password since 2010 and was not updated. (I had reasons for choosing this account as the control in the password management system experiment. Those reasons don’t seem relevant now).

Today I received a message that someone in Vietnam logged into my Facebook account and so Facebook automatically locked down the account. First, it is good to know that Facebook has this ability to detect fraud. Second, IMO, this is significant evidence that a competent password management strategy is necessary.

Nowadays most of all my technology uses biological (fingerprint) log in security. Yet these accounts are still tied to passwords so passwords are still used.

The three conclusions:

1) Password management is needed now more than ever.

2) The most practical way to achieve a high level of security is to use a password management system, and

3) No security system is 100% fail-proof but  service like LastPass offers the highest level of security we have available to us.


Leave a Reply

Your email address will not be published. Required fields are marked *