accounts

This weekend I wanted to create a new App in Azure so I could help a local nonprofit automate one of their donor relations processes via email through Office 365.

So I tried registering an app by visiting the App Registration Portal. I signed in to my personal Microsoft account, clicked 'New registration', then was greeted by this page:

I thought that was a bit strange, since I shouldn't have any restrictions... but then I noticed it listed [redacted] School as the reason I couldn't do this.

I recently learned that account verification is now generally available on Twitter... but when I went to verify my account, I got a notice that I needed to confirm my email address. I went into my account settings, and my account (which has existed since 2008, and has had a confirmed email address entered since the beginning!) showed my email was in working order.

So, knowing that sometimes you just need to give software a little percussive maintenance, I decided to try changing my email address (using another email alias for my normal iCloud account). Well, I got the confirmation email, clicked the link... and found a wonderful 500 error page:

In light of the many high-profile hacking cases that have recently exposed millions and millions of user passwords (LinkedIn, Sony, etc.), I thought I would write down my password management practices, and some practical thoughts for others looking to secure their access to various online services.

Shared Passwords (major no-no)

For a long time, I had three passwords: a weak, eight-character password that I'd use on forums and places I didn't really care about. I had a ten-character password with a number, a capital letter, and a symbol, for medium security (like sites that had my credit card in my account). And I had a fourteen-character password which was truly random (generated by Keychain Access on my Mac) for a couple services that I needed to be extremely secure.

But, none of these passwords are truly adequate nowadays—especially since I reused the passwords on a variety of sites and services! Additionally, I often had trouble remembering which password I used on what site, and had to try all three before successfully logging in.

[Update: Back when this was written, very nice password managers like 1Password and LastPass didn't exist or were not very capable of managing passwords as well as they are today—please ignore the advice below and use a password manager to generate very long, random passwords, and use the password manager instead of memorizing anything.]

Every month or so, another scary story about a huge security compromise (a.k.a. a hack) surfaces on the Internet, and this month is no exception. Earlier this month, the whole Twitter corporate heirarchy had a lot to worry about, as a hacker (that's kind of a misnomer... hackers are usually nothing more than persistent, patient and sly computer users) accessed many Twitter employees' email, iTunes, Google, etc. accounts, all because of the fact that one of the employees (probably not the only one, though) left an open door via a few small missteps, security-wise.

The hacker, after gathering tons of personal information gleaned from all over the web, was able to recover a user's Gmail password by guessing a few personal questions Gmail asks on the password recovery form (i.e. "Who was your favorite actor?," "What is your maiden name?," etc.). Then the hacker simply searched through the user's emails for something like "username password," because he knew that a lot of websites (like the Joomla! forums, some gaming sites, online stores, etc.) simply send an email upon a new user registration that contains the person's username and password. Once the hacker got ahold of a few more passwords this way, he was on his way to 'hacking' all the user's accounts... because like most people online, the user had only one or maybe two passwords he used for everything.

...but using the same password for multiple sites/services isn't necessarily a bad thing. Not if you follow these steps: