The first time I was ever assigned a password for an Internet-connected system was when I started college in 1986. Pretty soon, I had credentials for several systems, and at the very beginning, I made three mistakes that I would continue to make over and over for the next 20+ years.
- I used the same password for every system. Occasionally I would change my password, but when I did, I would update all of my other credentials to use that new password.
- When given the option, I always used the same username–basically my first and last name.
- I used the same email address for every system. For several years I used my university email system, and then before I graduated I registered my own .com domain and used my email address there for everything.
This made me a perfect target for credential stuffing, where usernames and passwords from a breach are automatically tested at dozens or hundreds of other systems. I am fortunate that I have never been the victim of such an attack, but I put that down to blind luck.
Today, I make certain that all three pieces of information are unique for every account I have. In some cases, with older accounts, that isn’t always possible. Some systems, for example, will not let me change the username I created in 2003 to something different. But where I can update them, I have.
So my approach to having unique credentials on all sites looks like this:
- Unique, randomly generated passphrases. This is the easiest one for anyone to do thanks to the rise of password managers which store and retrieve passwords much more quickly and securely than my aging memory.
- Unique, randomly generated usernames. This is also fairly easy thanks to password managers, but less intuitive. Many people still seem to use variants of their real name, or similar pseudonyms. I use the same passphrase generating process to randomy generate usernames. For example, the username for one of my credit card accounts might be “proud-postbox” or “radial-suction”.
- Unique, non-randomly generated email addresses. This is probably the most difficult part for non-technical users to accomplish. I use a catch-all enabled email account through ProtonMail. There are plenty of email systems that will enable catch-all access, but basically I have a specific domain — let’s call it @xyz.com — that I use for signing up to services.
When I sign up to a service that asks for my email, on the spot I enter [email protected] as the email address. So, for example, I might have an email address for Amazon that is [email protected]. The catch-all feature just dumps any email that doesn’t correspond to a specific account into my main email account.
If I ever need to respond to this email, I generally just temporarily create the actual account, make my response, and then whenever the specific issue I’m emailing about is resolved, I’ll remove that account.
Along with security, this also contributes to increased privacy. One of the uses of breach data is to see if someone whose email, username, or password are known from one breach also happens to appear in other breaches.
So, for example, if I know from a LinkedIn breach that [email protected] is in a LinkedIn breach, I can also check to see if that email appears in the Adult Friend Finder breach.
The randomly generated email address is the most interesting one, and one I hadn’t considered. (I recently had reason to believe that I was subject to an attempted identify theft via a hijacked Facebook account, so I’ve been locking things down.)