How easy are user names to guess? An account ID issued by a bank or credit card company may follow a predictable formula that's easy to guess, such as the first four characters of your last name followed by the last four digits of your social security number. In other cases a site may require that you use your email address as your account name (as LastPass does). When people do create user names they go with ones that are easy to guess, such as first initial and last name or last name followed by year of birth.
Some sites, including LastPass, require you to use your email address as your account user name. To get around that, you can add the "+" character to the end of your email user ID followed by extra characters to make the user name harder to guess. The user ID will still work, says Siegrist, and it's more secure. For example, firstname.lastname@example.org could be changed to rmitchell+vN41Mvkoq1Lf@computerworld.com.
Siegrist uses the password generator function in LastPass to create strong user account names. Since the password manager remembers both the user name and the password, you don't have to remember what the account name is anyway, he says. So why not be more secure?
7. Use two-factor authentication. This is doubly important if you use a laptop that can be stolen or you store sensitive data in the cloud. If someone guesses or steals the password to your account, they'll still need a special code, which is typically sent to a mobile phone, to gain access.
With two-factor authentication a person logging into your account needs something you know (your password) and something you have -- typically a single-use code that's texted to your phone or generated by a program such as Google Authenticator. The latter, which issues a six-digit number, is particularly useful if you use other Google products such as Gmail or Google Docs.
However, the site you're using has to support the two-factor authentication app you're using. Dropbox supports Google Authenticator, as does LastPass, which at the time I began using it was the only password manager to offer two-factor authentication options. Unfortunately, many sites don't support two-factor authentication, including all of my online banking, investment and credit card accounts.
"The adoption of two-factor hasn't been as high as we'd hoped with LastPass," says Siegrist, but that's starting to change. "With Google Authenticator being free we're seeing a nice uptick in its use."
8. Use an alternative email account for password resets. An intruder will expect password reset information to go to your public email account, which is easier to discover than is a secondary account created specifically for password resets.
Sign up for Computerworld eNewsletters.