Jon-Louis Heimerl | March 01, 2011
Even the most security minded people fall victim to creating passwords that include their first name initial and 1234. It’s not entirely their fault though, the frequency of online forms and growth of social media accounts have led many to become lax when tasked with creating unique passwords.
So, as a refresher, I’ve included some password tips for the taxed Internet warrior. Remember, a few extra minutes can make all the difference when securing personal information.
1. The best password is one you will use. Using it means remembering it, or storing it in some manner where you can get at it when you need it. Part of this point is that almost any password is better than _no_ password. All that said, a bad password could leave you with a false sense of security.
2. A strong password would usually be considered one that fits the following characteristics, though you should remember that not all sites support all characters.
a. At least eight characters
b. At least one capital letter and at least one small letter
c. At least one number
d. At least one "special character" - consider this as mostly the "shifted" numbers, so !@#$%^*()
3. Don't use:
a. No "dictionary" words - if your password is in the dictionary, is jargon, or slang, do not use it. There are databases of these words that can be run against your password in seconds.
b. "No dictionary words" also means no simple substitution as well. Say you pick "freeride" as your password, and simple number substitution gives you "fr33r1d3", your first response is that it is probably a good password, but it is not. Password cracking tools easily check for simple number substitutions. They also check for prepended and appended numbers, so "fr33r1d38" is not really much better, except for the fact it is longer.
c. No personal specific stuff - no birthday, no address, no spouse's name, no child's name, no pet's name.
4. There are plenty of rules for building "strong passwords", including these three:
a. Take a standard phrase and make an acronym. "I love to eat cookies and pie" becomes "iltecap". Add your number and special character in the password, and at least one cap, and you can get "iltE4$cap". That is a really good password, if you can remember that you like to eat cookies and pie.
b. Take a standard word, or two short words. Something that you can remember, and visualize by where you are or what you have. My office has blue walls, so I might remember "bluewall". Then, miss-spell the words, giving you blewwaul. Add my "confusing" characters and I might get blew8*WAUL. Good password.
You can do these techniques with almost any inspiration - "I want to win a Super Bowl" can easily becomes "iwtwa3$S" with only a little creativity. A Green Bay Packer fan can easily find themselves with a strong password of "goe1@Pakk".
5. Now, how do you remember which site uses which password when you have dozens of sites? I used to have a little notebook in which I wrote everything down - dozens of passwords. I kept the notebook in a safe in my office. The safe had a numberpad combination, which I opened when I was in the office, and closed when I was absent. So, my passwords were protected by my locked house, by my burglar system, by my very large and unfriendly dog,and by my safe - nice, effective layered security. Nothing really wrong with writing down your passwords, IF you have great physical control over your space. But the "portability" problem remains - what if you are not sitting in your home office? You are simply not going to be able to remember a variety of usernames and unique passwords from dozens of sites. Your best way to do this is probably with a password management solution. Symantec's "Identity Safe" and "RoboForm" are two solutions that work well (two well-reviewed, fully functional products, not meant to be taken as a specific recommendation). They help store your passwords, and match the passwords with the site to which they belong. Just make sure you use a nice, strong password on your password management utility. The one catch is that if you need to access one of your sites, you need to be using your computer - or at least one of your computers on which you have installed the password management utility. One caveat to this is to never (ever) allow your browser itself to store your passwords. Your browser will sometimes ask you "remember this password?" As a rule, always (always) say "no". Browser cache is more easily compromised than a real password management system, AND some systems have historically included the passwords you save as "autocomplete" fields in your browser. Someone else later using the same computer can potentially get access to the sites in cache.
6. Another thing you can do to simplify your logins is to classify your logins. Group your logins by generic accounts (which have no real personal information), social media (some personal information with no financial), shopping sites (that have personal information and may store credit card numbers), and absolutely personal sites (like banking sites, or sites that provide access to online medical information). If I use the same username and password on Newsvine as I do on WSJ and Foxsports, and someone gets my password on one, am I really concerned if they can log onto one of the others? So, I might use the same password for all of those. At the other extreme, the sites that I really worry about, like my online banking site, gets its own unique (strong) password.
7. The more you use your password the more likely it is to be compromised. The more likely it is that someone will see you enter it, or guess by where your fingers are, or the more likely it is that a piece of malware will sniff and copy it for someone else to use. So, unfortunately, changing your password does become important, but only important to the extent you can remember to change it, and remember what it is once your change it. If I am classifying my logins, I never change my password on those junk sites. But on the banking sites? Most standards say that people should be changing their passwords every 90 days. For personal use, that does appear a little extreme, but you should think about changing your "high risk" passwords at least once a year, and every six months is better.
8. Last password rule. Never, ever, share your password. Don't give it to your friend so they can send a quick email. Don't give it to your boyfriend or girlfriend - do you want them to have that potential power if they happen to become an "ex"?If you are on the phone with tech support, they really do not need your password. Or if they really do, they already have it. So, be selfish, and do not share. Ever
POST A COMMENT