Effective Computer Password Management
Simple techniques to make your passwords
safer
|
|
How to make your passwords simple for you to remember,
but hard for other people to guess?
The short answer = you can't. But you can make
your password(s) simpler, and you may also choose to use a
password management program to solve the problem entirely.
|
Identity theft via breaking
your password is of growing concern - and prevalence.
Fortunately, this threat can be variously minimized or
eliminated
if you adhere to some easy-to-follow guidelines.
How your password is stolen
Identity theft was the
most-reported complaint to the Federal Trade Commission in 2004,
up 15% from 2003 to 247,000 complaints. The problem has
intensified because of the speed and availability of information
on the Internet, and - paradoxically - as we need to remember more usernames and
passwords to access various accounts, we are becoming
increasingly less careful when choosing our user name/password
combinations.
Identity thieves are
primarily after one thing, your passwords. Once the culprits
collect your passwords, they gain access to your accounts, steal
your identity and use the information for personal benefit.
“Phishing” and “password hacking” are two popular identity theft
practices. Phishing is a widespread form of Internet piracy that
"fishes" for your personal financial information - account
numbers, Social Security number, passwords, etc. Thieves use
this confidential information to run up bills on your credit or
debit cards, take out loans or even obtain a driver's license in
your name.
Phishing for Passwords and
Personal Data
Typically, a phishing e-mail appears to come from a reputable
company that you recognize and may do business with, such as
your bank, PayPal or E-Bay. The e-mail will warn you of a
problem that requires you to take immediate action to update or
confirm your personal account information. The e-mail will
instruct you to follow a link to the institution's web site. The
web site will actually be phony, but will look like the real
thing.
The inducements to cause you
to log onto the spoofed phony site can be very clever and
imaginative. Typical reasons are things like 'your credit
card has expired, please log on and update your credit card
data' - this is a great concept, because you are then tricked
into betraying not only your login ID and password, but also you
then provide the phisher with full details on a credit card,
too.
More imaginative reasons can
involve an apparent complaint/negative feedback posting from an
eBay member, or an unexpected mystery payment received on Paypal
(I fell for that last one on one occasion - I was both puzzled
and pleased to be told I'd received a payment, but didn't know
what it was for or who it was from, so clicked to the 'details'
link in the email; the next thing I knew, I has half-way through
typing in my login information (wondering why Internet Explorer
wasn't doing it automatically as it usually does) and suddenly
I realized the trap I was walking in to.
Phishing websites have urls
that look similar to the real website url, but which are subtly
different so as to cause you to be on a different website.
And the text url link you see in an email is not necessarily
where you will be taken to if you click on the link -
for example, here is a link, apparently to
https://www.alaskaairlines.com/ but if you click on it,
you'll actually be taken to a very different airline website.
As soon as you type your
login ID and password, this vital information is transmitted to
the phisher, and he can use it to then log in to the real site,
as if he were you, take over your account, and use it for his
own purposes. Using the personal and financial information
in your account profile, plus any additional information you
might have provided to the spoof site, the phisher can readily
cause you to
become a victim of identity theft.
Beating the Phishers
Any unusual email from a
website that requires you to go and log in to the site should be
treated with suspicion. Although often these phishing
emails can quickly be spotted because they will be poorly
formatted and have poor grammar and spelling, a few very
dangerous ones look exactly like the genuine email you normally
get.
Don't click on any links in
the email - if you think the email might be valid, go to the
site by way of your favorites (if it is stored in favorites) or
by typing in the website name exactly as you know it to be.
This increases the chance
you're actually and validly going to the website you think you
should be going to.
If the email refers to you
by name and quotes other details that only the valid website
might know, this increases the chance of its legitimacy.
But if it refers to you as 'Dear account holder' or 'Dear
member' or some other generic form, then the chances are higher
the email is fraudulent.
Password Hacking
Password hacking commonly
occurs by guessing people’s passwords based on personal
information, or through the use of password hacking software.
Password hacking can be avoided with minimal effort - ie, by
creating passwords that are unrelated to anything to do with
your personal details, and which are not proper words such as
would be found in a regular dictionary.
This
article examines some of the best and worst password practices,
then gives you some simple, easy-to-follow ideas on how you can
improve the security of your digital identities.
As Passwords Become More
Important, We Have Become Less Careful Protecting Them
With the coming of the
digital age and the need for us to have instant access to
information, passwords are absolutely essential to restrict
authentication to non-valid users. We must enter passwords every
time we logon to our computer, start an application, open our
email, etc. Our list of passwords continually grows and never
seems to stop expanding. Instead of remembering one password, as
was needed in ancient times, it’s now common for a typical
computer user to need to remember one hundred or more different
passwords.
As more passwords are
required they become more difficult to manage, therefore we take
short cuts with the passwords we choose, making our personal information
and digital identities less secure.
What We Typically Do Now
Most of us choose a simple
word that is easy to remember, such as our :
Although this is a common
practice, it should be avoided. Hackers can guess
these passwords if they know some basic personal information
about us, or are armed with the most simplistic password hacking
programs.
Here are more examples of
poor password management practices.
Poor Password Management
Practices
Don’t use dictionary words, proper nouns, foreign words or
backwards words. Hacker programs can crack these password
codes, simply by repetitively trying every different word until
they finally strike it lucky.
Don’t use personal
information in your passwords such as your name, child’s name,
occupation, telephone number, ID number, address or birth date.
Don't share your password
with anyone! Not with your spouse, parents, siblings,
significant other, secretary, boss, or co-worker.
Don't write your password on
a Post-it and stick it on your monitor or any other easily
accessible location. In fact, you should not write down your
password anywhere.
Don't save your password as
part of an automatic login script if anyone else has access to
your computer.
Don’t rely on Internet
Explorer’s AutoComplete function. This is an insecure method of
storing your passwords on your computer.
Don’t allow a web site to
store your password. Almost every web site offers to store your
passwords so you won’t need to retype it each time. There are
three main reasons not to allow this.
First, passwords saved in these
programs are not secure and can be read and used by anyone with
access to your computer.
Second, hackers are increasingly
gaining access to servers, where your passwords are stored.
And
third, if you decide to delete your cookies, many sites will not
allow you access, forcing you to go through the time consuming
process of requesting and resetting your password.
Don't keep a record or list
of your passwords in an unencrypted file on your computer where
it is susceptible to hacking.
Don't choose or change your
passwords on a public computer or in a public place such as an
Internet cafe.
Don’t use the same password
on multiple accounts.
Don’t use common passwords such as
-
password
-
qwerty
-
1111
-
admin
-
etc etc
Good Password Management
Practices
Perhaps the single most
important thing to remember when creating a new password is to make
the password hard to guess, but easy to remember. That’s easier
said than done, but follow some of the guidelines below and you will
start using passwords that are more secure than what you’re
doing now.
A good password is any
combination of letters and numbers that cannot be found in a
dictionary. Your password should be at least 6 to 8 characters
long and should not have any personal information such as your
name, child’s name, occupation, telephone number, address or
birth date. A combination of letters, numbers and symbols will
work best. Make sure you use a mix of capital and lower-case
letters to make your password even more difficult to crack.
Change your password
regularly – once every three months at a minimum.
Always log off when you have
finished using a site and close your browser to prevent others
gaining access to any personal details stored in the browser's
temporary files or online.
Make your existing passwords
more secure. There are several techniques you can employ to make
your existing passwords more difficult for hackers to crack. Whatever method you choose you should remember to make it an
easy and understandable method so you will have stronger
passwords without much more effort.
1. Use the first letter from
every word in your favorite expression, or line in a story, poem
or movie. For example, “Pay no attention to the man behind the
curtain,” could lead you to the following password: PnAttMBtC.
2. Choose a word as your
password, but then substitute similar looking numbers for
letters in your passwords. For example, Football may become
F00t8a77 or sneakers may become 5n3ak3r5. Here is a sample list
of numbers that could be substituted for letters:
O…0 I …1 Z…2 E…3 H…4 S…5 G…6 L…7 B…8
You don’t need to associate every number with a letter. What is
important is that you remember your list of associated letters
and numbers.
3. Choose a password that
you want to use and then come up with a keystroke mapping
system. For example, if you choose to do an “upper-left”
keystroke system you would choose the letter to the upper-left
of the actual key you wanted. So if your password was qwert (not
recommended) your new password would be 12345 (also not
recommended). If the word you wanted to use for your password
was football, your keystroke password would be r995gqoo. It
sounds complicated, but you probably need to look at your keyboard
anyway, so why not just choose the letter to the upper-left, left,
or lower-right of the word you choose to remember.
A great idea
Use a standard password, but
vary it for each website by adding something to the beginning or
end of the standard password - perhaps the first few letters of
the website url.
So if your standard password
is 'standard' and you are visiting google.com, your password
might be gstandardo. When you visit yahoo, your password
might be ystandarda.
Using this type of approach,
you have unique passwords for every different website, but you
can easily work out what each password should be from the
website name.
An even greater idea
No matter how you approach
password management, there's no substitute for having special
complicated and unique passwords for every different website.
But how to then remember them all?
There's really only one
solution to this. Instead of lowering
your password management standards, can invest in a secure
password management tool. Like, ahem,
Roboform - see our review of Roboform here.
Summary
In today’s world we need a
password or PIN everywhere. Let’s be honest, remembering our
passwords can be annoying and somewhat overwhelming. So instead
of keeping up our good password management practices, we tend to
be a little less secure so that we can remember our passwords.
We do this knowing that we are increasing our risk of exposure,
but the alternative can be downright intimidating.
A small investment of your
time today will help prevent theft and identity loss tomorrow.
Adapted and extended from an article
originally provided by Bill Carey, Vice
President of Marketing at Siber Systems, a software company
based in Fairfax, VA. Their
RoboForm software is a password
management & form filling tool. Using RoboForm can
resolve a lot of the problems associated with managing different
passwords for different websites.
Related Articles, etc
|
If so, please donate to keep the website free and fund the addition of more articles like this. Any help is most appreciated - simply click below to securely send a contribution through a credit card and Paypal.
|
Originally published
23 Dec 2005, last update
21 Jul 2020
You may freely reproduce or distribute this article for noncommercial purposes as long as you give credit to me as original writer.
|