httpwebwitch - 3:00 pm on Jan 27, 2009 (gmt 0)

Brutal.
This brings to mind: it's nearly time for a total security sweep of all my personal accounts. It's a good thing to do every few months... at least twice a year. I do it every 4 months or so (approximately).

If you're like me with >50 sites that require authenticated accounts, it takes 4 to 5 hours to go through them all and change the passwords. Yes it is a laborious process. But if you consider how much time you've spent playing WoW or surfing Digg or watching Hamsters On Pianos Eating Popcorn, I think you'll agree it's a precaution worth the time spent.

I've done this a few dozen times, so here are some tips:

1) Keep a list of all your passwords in one place - a physical book, stored somewhere secure + hidden in your home. Don't save it as a digital file, and don't keep the list online or on your C://.

2) Use a binder. One page per account is a good idea. Then you have plenty of space to cross out the old PWD and write down the new one.

3) It may be convenient to use the same password for multiple accounts... but obviously it's not a good idea. If you have trouble remembering PWDs, come up with some kind of non-mathematical algorithm that you can use to translate the domain into a password. For example:

Amazon.com Starts with A, ends with N. Like my cousin Aaron, who was born in 1978. :. my amazon password is "%aaron(81)" Ebay.com Starts with E, ends with Y. Like my friend Eddy, who was born in 1965. :. my ebay password is "%eddy(65)" Obviously this is not my real formula, it's just an example

4) Whenever you sign up for a new account anywhere, write it in the book.
The physical book full of your passwords makes the security sweep really easy to do. Do one, turn the page. Continue to the end. Done. No guessing or wondering if you missed any.

5) For each site, record ALL the information you can use to authenticate. For instance, you'll almost always need a user name and a password, but sometimes there'll also be a "secret question", an account number, or even a URL which points to your profile or account management panel.

6) If it's a site you own, it goes in the book too. You'll have peripheral authentication like the server's FTP creds, SQL connection creds, DBA accounts, multiple Wordpress logins, Developer tokens, Affiliate id's, Analytics accounts, etc etc

7) Don't forget to do your online banking accounts too! Change your PIN frequently. That may require a trip to see a real human bank teller.

8) Do not allow the book to leave your residence! If you need reminders of certain passwords while you're out and about, make a copy of the ones you need on a slip of rice paper written with beet juice and put it in your wallet. When you're finished with the copy, eat it.

Making this a routine will keep your accounts secure, or at least relatively secure. But as an added bonus: if you perish, it's convenient for your heirs and executor to access your accounts if they're all enumerated in one place. Keep the book secure and safely hidden, but DO tell at least one other person where you keep it, like whomever is mentioned in your will as an executor or power of attorney.