Passwords - 10 Tips for Developing a Personal Strategy

Passwords. PINs. Security Codes.

It seems like every place we go online someone is asking us to either validate who we are with a password protected account or asking us to create an account so that we can access something. We are inundated with so many requests for account names and passwords it can become easy to be lazy about the passwords we choose and who we give them to.

As the Gawker Media hack showed us, poor password discipline can lead to a compromise of your personal data security. I’ve compiled a list of tips that can help you become a lot more secure in your online travels.

Tip 1: Don’t Use The Same Password Everywhere
If you use the same password in multiple locations you are going to run the risk of that password being exposed. All it takes is one poorly secured system or an unscrupulous web site operator to collect your email address and password. At a minimum have different passwords for your primary computer login, email account and any financial systems you access (banks, credit cards, etc).

Tip 2: Never Use Simple Words or Dates
“password” is one of the most used passwords in history and obviously the worst possible one to select. Names, middle names, common words, etc. are also a bad idea because a dictionary attack has a much higher chance of success on them. Avoid pet names because with today’s social web most people know the names of your cats, dogs and pet iguanas. Birthdays and anniversaries are also easy to find.

A good password should be at least 10 characters long and contain a mix of letters, numbers and punctuation. Many sites now require at least one of these elements.

Tip 3: Change Your Password Regularly
Open your calendar program and put in an appointment for 6 months from now. If you can make it a recurring 6 month appointment that’s even better. Title it “Change passwords”. No matter how secure you are, at some point you’re going to reveal your password. I once did it with a friend while on IM: I was rapidly Command-Tabbing between an Adium window and Safari, pasting in information. One Safari screen asked me to log in; I entered the password and hit enter, only to realize I had just plopped my password into the IM window instead.

People don’t change their passwords mostly because it’s such a hassle. If you haven’t changed your password in years then it will seem like a lot of work. Do it on a regular basis and it gets easier.

Tip 4: Use a Secure Password Storage Tool
The older I get the more I realize that my brain is not a reliable storage medium. I’m only good for a handful of passwords, especially when I change them out regularly. Rather than just writing the passwords down (see Tip 7 below), I use 1Password. Hands down one of my favorite applications, 1Password securely stores my passwords and embeds itself into my web browser. When I’m prompted by a site to login, 1Password can do it for me. It can also enter my credit card information, personal data, etc.

As a computer enthusiast I have multiple computers and devices for accessing the web around me all day: Mac Pro, MacBook Pro, Windows 7 PC, iPad and iPhone. 1Password can keep all of them syncronized using a free Dropbox account. Now I only worry about remembering one unique password - my 1Password master password.

Tip 5: Share Your Password
Wait, share your password? Yep, you read that right, though only in certain circumstances. If you pay bills online and use your bank or credit card to handle it, does your spouse or significant other know how to take over if something happens to you? If you’re elderly and your kids are next in line do they know what to do? No one wants to think of a world where they don’t exist but in the event something happens to you the last thing you’ll want your spouse or children to have to go through is figuring out how to unwind the personal security you’ve put in place.

Don’t feel comfortable giving your spouse that information? Write your passwords down on a piece of paper. Put it in a sealed envelope. Show your spouse the hiding place for it and explain that’s where your main passwords are, then put a list of the key accounts for bill paying, banking, etc. on a piece of paper and put that some place else. Just don’t forget to update it when you change your passwords.

Tip 6: Lock Your Computer
If you travel with a laptop you should always require your password when your machine is rebooted or when it comes out of sleep mode. If your passwords have been remembered by your computer through something like 1Password this is critical. I do this on my desktop machines as well, not because I’m worried about my wife or kids accessing things (I trust them), but because if a burglar steals my computer while I’m away I don’t want to make it any easier for them.

Mac Security Setting

Windows 7 - Power Options / Require Password

Tip 7: Post-It Notes Are Evil
I actually love Post-It notes for everything except passwords, yet that seems to be the dominant way they’re used by people. If I was personally trying to access someone’s computer and needed their password I’d look for a Post-it note on 1) their display, 2) their keyboard, 3) under their keyboard, 4) in a nearby desk drawer or 5) under knick-knacks on their desk. Is that where you put yours? Don’t.

Tip 8: Resist Public Terminals
It’s great to find public terminals in airports, hotels and other lounges but if you’ll be using them try to only access public information. Checking your e-mail from a public terminal can be risky; is it possible that someone—maybe even the owner of the terminal—has installed a capture program to harvest your login details? Is the browser set to remember usernames and passwords automatically?

If you do use a public terminal make sure you log out, don’t just close out the browser window. You may still be logged in. Also, clear your history if possible. Some poorly written sites will pass your username and password along in a URL.

Tip 9: Know Where You Are
As you are browsing the web you hit a site that contains something you really want to read but it asks you to log in using your Google credentials. It even tosses up this on the page:

Looks legit, right? Make sure you know where you are before you enter login credentials. Check the URL first. Make sure you are accessing the site through HTTPS. If you’re not really sure, click on the little padlock image on your web browser. That should display the security certificate from the site. These kinds of phishing attacks don’t just happen from emails - be aware of where you are before you enter any sensitive data.

Tip 10: Become a Password Activist
If you’ve read through this, chances are you have someone in your immediate circle (family, friends, etc.) that isn’t as concerned about password security. Casually check with your spouse, kids, parents, etc. if they are keeping their passwords secure. You can use every single one of the tips I’ve put in here and be very secure but if your wife or husband has access to the same bank accounts you do and they aren’t as careful, well... you get the idea. Make sure they are.

The bottom line is no one will care about securing your information more than you. Sure, it’s a pain to go through but it’s far more painful to deal with an identity theft. Ask the 100,000 people that just had their email addresses and passwords harvested from Gawker.

Got a tip for helping people lead more secure online lives? Did I miss anything? Please drop a note in the comments. I've got it set to allow anonymous comments so you don't even need to log in!


jbeardsley said…
Related to tip #6, is 6a - lock your phone. If you leave your smartphone somewhere and you don't require a swipe pattern or password to get into it, anyone who finds it will most likely have complete access to your email, financial accounts or any other apps that you have on your phone.
David Alison said…
@Jeff: Great tip man - thanks! Same holds true for iPads too.
Great post! I repeat most of this in my technology organizing seminar. I also encourage people who login to a lot of sites to use 1Password by Agile Web Solutions. It is a great program and you can get it for either Mac or PC.
The other advantage is your spouse only has to remember your 1Password password to get access to all your info should something happen to you.
Anonymous said…
It makes me sad that we live in a world where we need to spend so much time and effort protecting ourselves against these threats.

One question - all of your suggestions are defensive. Do you think there should be some offensive action, such as legal actions (arrests of people who steal passwords), or perhaps some vigilante justice?
David Alison said…
@Anon: If I knew someone had stolen my identity and could track them down I would pursue them legally. The challenge is many times the identity theft is off-shore and very difficult to pursue.

I would never go the vigilante justice route though. No good can come from that.
Lagomorphmom said…
Thanks for the tip on 1Password. I do use different passwords for different genres of tasks, so to speak, but you're right I don't change them enough.

One tip for pretty good passwords is to take words that you (might ;-) remember and substitute numbers when the shapes are similar, ie #1 for l or #0 for o, #3 for an E, and so on.
Unknown said…
Another vote for 1Password, it has rapidly become my most treasured application. Like you I work across multiple machines so currently I have my passwords avaialble on my Home and Work PC's my Mac, my iPhone and my iPad. Could not function now with out this.

(Mainly as I dont know my passwords anymore!)
Michael said…
Another happy 1Password user - not much I can add to what has already been said.

What I did want to say is I don't know when you changed your photo, and I'm relying on my memory for what the old one looked like, but gee you look like you've lost a lot of weight. Well done!
David Alison said…
@Michael: Yep, last year I went on a big health kick. Got heavy into cycling (put just over 4,500 miles on my bikes this year) and dropped 35lbs. Thanks for noticing!
Doug Smart said…
If you're on a windows computer that supports LAN Manager you should set your password to 15 characters or longer. Otherwise you run the risk of your login password being stored in a manner that's easily recoverable by a knowledgeable person.
Eric said…
I have read your story! It was great! I thought you wrote about my story. LOL. I have the same experience with you. :) Thanks for sharing your great experience and wonderful story!!! :D

Popular posts from this blog

Keyboard vs. Mouse

Some cool Firefox add-ons

A hardcore Windows guy gets a Mac