The password is…
How many passwords do you have? What makes a good password? How do you keep track of them? How do you keep them safe?
If you’ve been using the Internet for more than a few days, then chances are you’ve already created accounts on dozens of web sites that require a user name and password for access. Managing all of those passwords can be a real chore, and it’s not one to be taken lightly. Your user names and passwords (credentials) are the keys to your online identity, your reputation and quite likely, your money.
Let’s talk about security for a moment. In the information security world, we talk a lot about authentication factors. Simply put, authentication is just the process of verifying that you are who you say you are. Factors are the specific methods used to identify you. In the real world, you can be identified by your face, your voice, an ID card, a fingerprint, your DNA or any other number of ways. Each one of those things can be considered an authentication factor. Identifying you online is much more difficult. It’s not so easy to compare your face to the picture on an ID card or to scan your thumbprint, so we have to use other methods to verify your identity. We break factors down into three basic categories, something you are, something you know and something you have. Something you are would be your fingerprint, your DNA or your face. Something you know would be a user name, a password or PIN, your Social Security Number or the name of your maternal grandmother’s first grade teacher’s favorite pet. Something you have could be a key or an ID card.
The more factors that are used to identify you, the less likely it is that someone posing as you will successfully access things you want to keep safe. Unfortunately, most computer systems rely on only one factor of authentication, even though you need a user name and password, both are just something you know. There are methods of introducing more factors, I’ve used them when setting up secure access to private networks for companies but it’s generally too costly and cumbersome for every web site to use these systems.
Knowing this, it’s very important to make treat your passwords with care, so here’s a few tips.
Use strong passwords. The keys to a good password are it’s complexity and it’s length. Whether someone is trying to guess your password or they’re using a password cracking program, the longer and more complex it is, the harder it is to guess. Use the following guidelines.
- At least 8 characters long, but even longer is better. It can even be a passphrase instead of a word.
- Include alphabetic, numeric and special characters (!@#$%^&*)
- Avoid dictionary words, or at least misspell them.
- Avoid words that are easy to guess like the name of your pet, spouse, children or birth dates, Social Security Numbers, etc.
- Avoid consecutive numbers (4567)
- NEVER use a variation of your user name pr real name as a password.
- Don’t use the same password for everything. If someone ever does get your password, they’ve got the proverbial keys to the kingdom.
Manage your passwords. Now that you’ve created a strong but cumbersome password, you’ve got to somehow remember it or keep a record of it somehow. One of the problems with creating good passwords is that they can be difficult or impossible to remember. Luckily, there’s some tools and techniques that you can use to keep track of things. Most involve storing all of your credentials in a single file or database secured with a single strong password. They can be simple and free or cost a few bucks but reward you with some really cool features.
Let’s start with the least costly (as in free) methods. One free method to avoid at all costs is the sticky note method. Never ever keep you passwords written down on a sheet of paper, even if it is cleverly hidden under your mouse pad.
Although Microsoft Excel isn’t free, most of us already have a copy installed on our computers, and it can make a pretty good and secure password manager. Start by making a simple spreadsheet with columns for the website name, user name, password and maybe a notes column. Now that you’ve created a spreadsheet with the keys to your online life, you need to secure it. Follow the steps in this Microsoft tutorial to secure the spreadsheet. Make sure that you use the option to choose a different encryption type to choose a stronger encryption method such as Microsoft Enhanced RSA and AES.
There’s also a few purpose built password managers for free, one of the most common ones is Passkeeper. What’s nice about Passkeeper is that it’s portable. You don’t actually have to install it on your computer, it’s 3 files that can be easily copied to a thumb drive or even emailed since the actual data file is encrypted. KeePass is another free option, it has more features but requires a bit more geek aptitude to use.
There’s also some very nice commercial ($) password managers available. I use SBP Wallet, mainly because I can sync my passwords between my computer and my iPhone. It also has templates to store all sorts of other information.
Keep your passwords to yourself. Another way that bad guys may try to obtain your passwords is by tricking you into giving it to them. Following a few basic rules can help keep your information safe. Never give your password to someone, no matter how nicely they ask. Don’t enter your password into a web site that you got to by following a link in an email. It’s very easy to forge email that looks very official. Bad guys will do this and put links in the email that take you to their server, not the one you intended. You then put your user name and password in, handing it directly to them. This is a type of scam known as Phishing.
Change your passwords regularly. This may sound like a pain, but changing your passwords every 90 days or so can greatly decrease the likelihood that they will be compromised.
Many times the only thing standing between your personal information and someone wanting to steal it is a password. Use some common sense and a little bit of tech savvy, and you can keep your personal information personal.