Passwords - 10 Tips for Developing a Personal Strategy
Passwords. PINs. Security Codes.
It seems like every place we go online someone is asking us to either validate who we are with a password protected account or asking us to create an account so that we can access something. We are inundated with so many requests for account names and passwords it can become easy to be lazy about the passwords we choose and who we give them to.
As the Gawker Media hack showed us, poor password discipline can lead to a compromise of your personal data security. I’ve compiled a list of tips that can help you become a lot more secure in your online travels.
Tip 1: Don’t Use The Same Password Everywhere
If you use the same password in multiple locations you are going to run the risk of that password being exposed. All it takes is one poorly secured system or an unscrupulous web site operator to collect your email address and password. At a minimum have different passwords for your primary computer login, email account and any financial systems you access (banks, credit cards, etc).
Tip 2: Never Use Simple Words or Dates
“password” is one of the most used passwords in history and obviously the worst possible one to select. Names, middle names, common words, etc. are also a bad idea because a dictionary attack has a much higher chance of success on them. Avoid pet names because with today’s social web most people know the names of your cats, dogs and pet iguanas. Birthdays and anniversaries are also easy to find.
It seems like every place we go online someone is asking us to either validate who we are with a password protected account or asking us to create an account so that we can access something. We are inundated with so many requests for account names and passwords it can become easy to be lazy about the passwords we choose and who we give them to.
As the Gawker Media hack showed us, poor password discipline can lead to a compromise of your personal data security. I’ve compiled a list of tips that can help you become a lot more secure in your online travels.
Tip 1: Don’t Use The Same Password Everywhere
If you use the same password in multiple locations you are going to run the risk of that password being exposed. All it takes is one poorly secured system or an unscrupulous web site operator to collect your email address and password. At a minimum have different passwords for your primary computer login, email account and any financial systems you access (banks, credit cards, etc).
Tip 2: Never Use Simple Words or Dates
“password” is one of the most used passwords in history and obviously the worst possible one to select. Names, middle names, common words, etc. are also a bad idea because a dictionary attack has a much higher chance of success on them. Avoid pet names because with today’s social web most people know the names of your cats, dogs and pet iguanas. Birthdays and anniversaries are also easy to find.
A good password should be at least 10 characters long and contain a mix of letters, numbers and punctuation. Many sites now require at least one of these elements.
Tip 3: Change Your Password Regularly
Open your calendar program and put in an appointment for 6 months from now. If you can make it a recurring 6 month appointment that’s even better. Title it “Change passwords”. No matter how secure you are, at some point you’re going to reveal your password. I once did it with a friend while on IM: I was rapidly Command-Tabbing between an Adium window and Safari, pasting in information. One Safari screen asked me to log in; I entered the password and hit enter, only to realize I had just plopped my password into the IM window instead.
People don’t change their passwords mostly because it’s such a hassle. If you haven’t changed your password in years then it will seem like a lot of work. Do it on a regular basis and it gets easier.
Tip 4: Use a Secure Password Storage Tool
The older I get the more I realize that my brain is not a reliable storage medium. I’m only good for a handful of passwords, especially when I change them out regularly. Rather than just writing the passwords down (see Tip 7 below), I use 1Password. Hands down one of my favorite applications, 1Password securely stores my passwords and embeds itself into my web browser. When I’m prompted by a site to login, 1Password can do it for me. It can also enter my credit card information, personal data, etc.
As a computer enthusiast I have multiple computers and devices for accessing the web around me all day: Mac Pro, MacBook Pro, Windows 7 PC, iPad and iPhone. 1Password can keep all of them syncronized using a free Dropbox account. Now I only worry about remembering one unique password - my 1Password master password.
Tip 5: Share Your Password
Wait, share your password? Yep, you read that right, though only in certain circumstances. If you pay bills online and use your bank or credit card to handle it, does your spouse or significant other know how to take over if something happens to you? If you’re elderly and your kids are next in line do they know what to do? No one wants to think of a world where they don’t exist but in the event something happens to you the last thing you’ll want your spouse or children to have to go through is figuring out how to unwind the personal security you’ve put in place.
Don’t feel comfortable giving your spouse that information? Write your passwords down on a piece of paper. Put it in a sealed envelope. Show your spouse the hiding place for it and explain that’s where your main passwords are, then put a list of the key accounts for bill paying, banking, etc. on a piece of paper and put that some place else. Just don’t forget to update it when you change your passwords.
Tip 6: Lock Your Computer
If you travel with a laptop you should always require your password when your machine is rebooted or when it comes out of sleep mode. If your passwords have been remembered by your computer through something like 1Password this is critical. I do this on my desktop machines as well, not because I’m worried about my wife or kids accessing things (I trust them), but because if a burglar steals my computer while I’m away I don’t want to make it any easier for them.
Tip 7: Post-It Notes Are Evil
I actually love Post-It notes for everything except passwords, yet that seems to be the dominant way they’re used by people. If I was personally trying to access someone’s computer and needed their password I’d look for a Post-it note on 1) their display, 2) their keyboard, 3) under their keyboard, 4) in a nearby desk drawer or 5) under knick-knacks on their desk. Is that where you put yours? Don’t.
Tip 8: Resist Public Terminals
It’s great to find public terminals in airports, hotels and other lounges but if you’ll be using them try to only access public information. Checking your e-mail from a public terminal can be risky; is it possible that someone—maybe even the owner of the terminal—has installed a capture program to harvest your login details? Is the browser set to remember usernames and passwords automatically?
If you do use a public terminal make sure you log out, don’t just close out the browser window. You may still be logged in. Also, clear your history if possible. Some poorly written sites will pass your username and password along in a URL.
Tip 9: Know Where You Are
As you are browsing the web you hit a site that contains something you really want to read but it asks you to log in using your Google credentials. It even tosses up this on the page:
Looks legit, right? Make sure you know where you are before you enter login credentials. Check the URL first. Make sure you are accessing the site through HTTPS. If you’re not really sure, click on the little padlock image on your web browser. That should display the security certificate from the site. These kinds of phishing attacks don’t just happen from emails - be aware of where you are before you enter any sensitive data.
Tip 10: Become a Password Activist
If you’ve read through this, chances are you have someone in your immediate circle (family, friends, etc.) that isn’t as concerned about password security. Casually check with your spouse, kids, parents, etc. if they are keeping their passwords secure. You can use every single one of the tips I’ve put in here and be very secure but if your wife or husband has access to the same bank accounts you do and they aren’t as careful, well... you get the idea. Make sure they are.
The bottom line is no one will care about securing your information more than you. Sure, it’s a pain to go through but it’s far more painful to deal with an identity theft. Ask the 100,000 people that just had their email addresses and passwords harvested from Gawker.
Got a tip for helping people lead more secure online lives? Did I miss anything? Please drop a note in the comments. I've got it set to allow anonymous comments so you don't even need to log in!
Tip 3: Change Your Password Regularly
Open your calendar program and put in an appointment for 6 months from now. If you can make it a recurring 6 month appointment that’s even better. Title it “Change passwords”. No matter how secure you are, at some point you’re going to reveal your password. I once did it with a friend while on IM: I was rapidly Command-Tabbing between an Adium window and Safari, pasting in information. One Safari screen asked me to log in; I entered the password and hit enter, only to realize I had just plopped my password into the IM window instead.
People don’t change their passwords mostly because it’s such a hassle. If you haven’t changed your password in years then it will seem like a lot of work. Do it on a regular basis and it gets easier.
Tip 4: Use a Secure Password Storage Tool
The older I get the more I realize that my brain is not a reliable storage medium. I’m only good for a handful of passwords, especially when I change them out regularly. Rather than just writing the passwords down (see Tip 7 below), I use 1Password. Hands down one of my favorite applications, 1Password securely stores my passwords and embeds itself into my web browser. When I’m prompted by a site to login, 1Password can do it for me. It can also enter my credit card information, personal data, etc.
As a computer enthusiast I have multiple computers and devices for accessing the web around me all day: Mac Pro, MacBook Pro, Windows 7 PC, iPad and iPhone. 1Password can keep all of them syncronized using a free Dropbox account. Now I only worry about remembering one unique password - my 1Password master password.
Tip 5: Share Your Password
Wait, share your password? Yep, you read that right, though only in certain circumstances. If you pay bills online and use your bank or credit card to handle it, does your spouse or significant other know how to take over if something happens to you? If you’re elderly and your kids are next in line do they know what to do? No one wants to think of a world where they don’t exist but in the event something happens to you the last thing you’ll want your spouse or children to have to go through is figuring out how to unwind the personal security you’ve put in place.
Don’t feel comfortable giving your spouse that information? Write your passwords down on a piece of paper. Put it in a sealed envelope. Show your spouse the hiding place for it and explain that’s where your main passwords are, then put a list of the key accounts for bill paying, banking, etc. on a piece of paper and put that some place else. Just don’t forget to update it when you change your passwords.
Tip 6: Lock Your Computer
If you travel with a laptop you should always require your password when your machine is rebooted or when it comes out of sleep mode. If your passwords have been remembered by your computer through something like 1Password this is critical. I do this on my desktop machines as well, not because I’m worried about my wife or kids accessing things (I trust them), but because if a burglar steals my computer while I’m away I don’t want to make it any easier for them.
Mac Security Setting
Windows 7 - Power Options / Require Password
Tip 7: Post-It Notes Are Evil
I actually love Post-It notes for everything except passwords, yet that seems to be the dominant way they’re used by people. If I was personally trying to access someone’s computer and needed their password I’d look for a Post-it note on 1) their display, 2) their keyboard, 3) under their keyboard, 4) in a nearby desk drawer or 5) under knick-knacks on their desk. Is that where you put yours? Don’t.
Tip 8: Resist Public Terminals
It’s great to find public terminals in airports, hotels and other lounges but if you’ll be using them try to only access public information. Checking your e-mail from a public terminal can be risky; is it possible that someone—maybe even the owner of the terminal—has installed a capture program to harvest your login details? Is the browser set to remember usernames and passwords automatically?
If you do use a public terminal make sure you log out, don’t just close out the browser window. You may still be logged in. Also, clear your history if possible. Some poorly written sites will pass your username and password along in a URL.
Tip 9: Know Where You Are
As you are browsing the web you hit a site that contains something you really want to read but it asks you to log in using your Google credentials. It even tosses up this on the page:
Looks legit, right? Make sure you know where you are before you enter login credentials. Check the URL first. Make sure you are accessing the site through HTTPS. If you’re not really sure, click on the little padlock image on your web browser. That should display the security certificate from the site. These kinds of phishing attacks don’t just happen from emails - be aware of where you are before you enter any sensitive data.
Tip 10: Become a Password Activist
If you’ve read through this, chances are you have someone in your immediate circle (family, friends, etc.) that isn’t as concerned about password security. Casually check with your spouse, kids, parents, etc. if they are keeping their passwords secure. You can use every single one of the tips I’ve put in here and be very secure but if your wife or husband has access to the same bank accounts you do and they aren’t as careful, well... you get the idea. Make sure they are.
The bottom line is no one will care about securing your information more than you. Sure, it’s a pain to go through but it’s far more painful to deal with an identity theft. Ask the 100,000 people that just had their email addresses and passwords harvested from Gawker.
Got a tip for helping people lead more secure online lives? Did I miss anything? Please drop a note in the comments. I've got it set to allow anonymous comments so you don't even need to log in!
Comments
The other advantage is your spouse only has to remember your 1Password password to get access to all your info should something happen to you.
One question - all of your suggestions are defensive. Do you think there should be some offensive action, such as legal actions (arrests of people who steal passwords), or perhaps some vigilante justice?
I would never go the vigilante justice route though. No good can come from that.
One tip for pretty good passwords is to take words that you (might ;-) remember and substitute numbers when the shapes are similar, ie #1 for l or #0 for o, #3 for an E, and so on.
(Mainly as I dont know my passwords anymore!)
What I did want to say is I don't know when you changed your photo, and I'm relying on my memory for what the old one looked like, but gee you look like you've lost a lot of weight. Well done!
http://support.microsoft.com/kb/299656