10 Rules to Protect your Passwords

If you have been following the news, the social media web site Twitter was compromised last month. When the story hit, the “hacker” had copies of Twitter’s most intimate information – financial forecast, employee rosters, etc. Roll back to the 2008 American presidential candidate race, and Sarah Palin, vice president hopeful, was also “hacked.”

I put “hacked” in quotes because they were not violated by a sophisticated technology, nor by some mischevious kids in Eastern Russia. In fact, technology has nothing to do with it. The “hacks” were exploiting flaws in the way that we manage our passwords. We are all doing it and we are all equally exposed.

In the last 10 years, the internet has exploded into our lives. The off shoot is that we are managing hundreds if not thousands of passwords across a myriad of web sites and technologies. On top of all of that, there is no good way to manage all of these passwords. With so many passwords, we all have a vulnerability. The only question is the size. Here is my practical Top 10 guide to keeping you and your family safe by properly managing your passwords.

1

Passwords should be stored between your ears. There is no other solution. All of your passwords should be stored in your brain. Don’t write them on a sheet of paper. Don’t type them in a secret file. If you place your passwords in any place other than your brain, you are opening a huge hole in your personal security from the start.

2

Don’t use guessable passwords based on public information. The name of your wife and your children and your pets are public information. Although they are easy to remember, they are easy for others to surmise as well. Here’s a trick. Open up a dictionary and open it up to a random word and use that word. You get the idea. You can check out this list of passwords to avoid.

3

Never use the same password for everything. Now that you keep all your passwords in your head (see Rule 1), the easiest solution is to remember one and only one password. WRONG. It’s not that easy. The reason is that if someone can figure your password, then they have access to everything that is you. You have just become an identify theft victim of the highest order. This requires a lot of thought. The question is how many passwords are enough? Some people say that one should have a different password for each and everything you do. If you are going to follow Rule #1, the job becomes impossible even for a mathematical genius. It is a dicey game, but your goal is to maximize the number of passwords while still following Rule #1.

4

Don’t let FireFox and IE store your passwords. This is against Rule #1, remember? Yes, it makes your life a lot easier as you cruise from one web site to another without a speed bump. The problem is that you also have made it a lot easier for someone else to see all your most intimate stuff. It really bothers me that both IE And Firefox attempt to store your passwords by default.

5

Do not answer secret questions. The way that Sarah Palin and the Twitter employee were “hacked” were through secret questions. I don’t like secret questions nor do I like web sites that use them. They are a security disaster waiting to happen. It is in violation of Rule #1. These are indeed scary times. Even today, when dealing with telephone support, they always ask a set of ‘secret questions’. They usually are the last 4 digits of your social security number, and your mother’s maiden name. The problem is that it is not hard for a stranger to figure out these pieces of information. Now the problem is worse. They want to know the color of my first car. Or my favorite movie? That one really strikes of stupidity. My favorite movie may change, and therefore I probably won’t be able to remember what I answered 5 years from now.

6

Make your passwords long. The longer your password the better. We all have been exposed to the password strength meter. I guess that old adage is finally true. Size does matter. But seriously, the reason historically for big passwords were so that people could not write computer programs to guess your password. Those days are past. Nowadays, if someone tries to guess a password wrong more than 3 times, quite often the account is disabled. The reason for a long password is different. If someone is looking over your shoulder, or they have seen you type your password a million times, they are less likely to remember a long one.

7

Type your password quickly. I am fortunate because I type quickly. Going back to Rule #6, the slower you type, the longer your password should be. The reason is the same. It’s not hard to figure out someone’s password by looking at their fingers, particularly a slow typist.

8

Don’t use public terminals. I am guilty of this, and I will never do it again. Using public terminals might be fine for getting sports scores and the news, but after that you are running risks. There are lots of people milling about a public area. But more importantly, you have no idea if the terminal has key logging software or other spyware that could be harvested at a later point of time.

9

Your email password is sacred. Of all your passwords, your email password is the most important. Many sites use your email address as your user name. More importantly, almost all sites use your email address as a method of sending a forgotten/lost password. Therefore, if someone has compromised your email, they could go to all your favorite sites and submit that password to be remembered or reset. Then they have access to everything. Your email is the gateway to all of your other passwords.

10

Don’t leave your PC logged on and unattended. I don’t care if you are at work, or the safety of home. Always log off your computer if you are going to be away. It is a good practice and a good habit to get into.

I could make a lot more rules, but there is an underlying point. Your passwords are a web of security holes. The larger or more complex you make the web, the lower your security vulnerability. There is no simple solution, and there is not one size solution for everyone. Some people have good memories. Some type fast. Some only visit a handful of sites. No matter who you are, please follow the above principles to reduce the chance of having your passwords, and potentially your life, violated.

*******************************************************************


Introducing Driver Alert 2.0

Check out PC Pitstop’s all new Driver Alert — now featuring DriverMatic technology that allows you to automatically install new drivers at the click of a button.

Run a Free Driver Alert Scan Today

*****************************************************************

(Visited 445 times, 1 visits today)

39 thoughts on “10 Rules to Protect your Passwords

  1. First I want to thank everyone who has contributed to all the discussion for this topic. This password list has always been a challenge for me since I started in the military too many years ago. When I had to learn how to encrypt messages and interpret incoming messages. Some of the methods we used then are still in practice today, just a lot more sophisticated. Some of the pass codes I used then were 15 – 20 characters long. I used to use different variations of my drivers license which was 17 digits in New York state at the time.
    The best advice I can give is to change your passwords frequently and not repeat them during the course of the year. I am required to change my network password every 45-60 days,
    I also use a protected Excel worksheet to keep track of them and only accessed on an external HD source.

  2. An additional tool to building passwords is to use the name of the website you are logging into. Make up a rule you always follow. Like.. first and last letters of the website added to the front/back of your common password.

    So… if your generic password is te1eph@ne your login at this site might be tptpte1eph@ne (1st last, 1st last + PW)
    Of course… make up a rule that will always work.. like.. don’t say the first and the 5th letter.. if its aol.com oops or say 1s and 5th (or last if its too small)

  3. I’m getting up in years and have significant memory & other cognitive problems. I can’t really count on remembering much of anything! If one is FORCED to use some sort of password storage, what would be best? And I fear Secret Questions because I can’t remember any but the most obvious of them, so even those need to be recorded. And many of them ask questions that can change over time, like favorite book or movie, or your pet’s name. If you can choose your own secret question, I use something silly like, “What is the name of my best friend’s favorite chicken?” There are really only a few members of my or my friend’s family who could answer that. Of course when that chicken goes to poultry heaven I might have to reconsider. But really, should I use a thumb drive & store it hidden? Write info down & hide it? Use one of the “best” of the password storage programs? I need answers! And I need something that lets me access those passwords from my daughter’s computer, or my best friend’s, or even the library — although I wouldn’t use a library computer for accessing my bank or PayPal or drugstore, or anything I really would feel insecure about.

  4. How do you not write the passwords down? Nearly every site I visit has its own login in and password. How do I remember all these?

  5. Question: What is wrong with a secret file. I use a file extension like maybe (HousePlan.dwg)and put It in a list of Drawing files in my autocad program. or you could use the ico extension. There are hundreds of Icon files on a computer. I also use a pass word protected floppy drive with all my passwords (one at the computer and a backup in a safe). I also create some passwords by using a pattern of keystokes on my keyboard. All I have to remember is the pattern and the starting Key. Unless someone can slip a keyloggin program on my computer my system should cause a hacker to move on.

  6. I combine or mix a couple sets of numbers from my mental store of meaningful ones I’ll always remember (but no one else would, especially in combo). Then, I add them to or embed them in alphabetic characters representing a certain unique thing about whatever site I’m registering at (which I have a ‘formula’ for choosing).

    That way, not only do I get more mileage out of the numeric parts, but I’m more likely to remember the password when I return to the site, without having to stop and retrieve it.

  7. I like Maggie’s use of car registration plates – or indeed any data which you can keep in your head I can remember most of mine and my Dad’s, going back to 1945, but that’s kinda freaky!

    One of my favorites is _parts_ of addresses. I can recall all the postal addresses of all the houses and flats I have ever lived in. And even if I could only remember two or three, that would be enough to be useful.) I don’t think I would use my current address . . .

    Some examples of passwords generated from my list of abodes:

    29ColumbineRoad
    77SunsetStrip
    10DowningStreet

    If you use any of those (fictional) you are creating — with ease — a reasonably strong password for which the hacker must know the format as well as the data, The examples all painlessly generate a password with numerals and upper and lower case letters and are long enough for most purposes.

    By the way, I always miss-spell (credibly) my mother’s maiden name; e.g. Smith = Smythe.

    I hope someone will find my ideas useful. Apologies if someone has beaten me to it.

    Regards to all
    Tichard

  8. I tend to rely on my old cars. I have been driving for years and often use the registration numbers, no one even remembers my blue allegro or silver cavalier so i store p/w info under car description!!. I dont use public terminals but watching people put their pin in at checkouts shows just how careless we all can be.

  9. Just a few thoughts. There are several anti-keylogger programs that don’t consume significant system resources. Roboform and other password programs can be encrypted which requires only that you remember the master password and those programs will automatically generate random passwords. Alternatively, you can use the program to generate the password and then print or store it elsewhere. I have a hard copy safe in a place away from my computer and the list on a usb device that is nearby but not apparent so I can access it when I need it. The main rule should be to think. For the secret questions, just use a different answer (that you can remember) – for your mother’s maiden name, use someone else’s name, such as your neighbor, cousin, spouse’s aunt or whatever. Your first car could be a tricycle — it doesn’t matter what you put in so long as you remember it. Again writing it down on a plain piece of paper kept somewhere accessible should suffice. I agree that nothing will keep a determined hacker completely at bay, you simply want them to give up on you and move onto someone easier.

  10. Wow. Talk about unrealistic. I’m surprised there wasn’t an 11th rule for “Change your passwords often.” How can you possibly remember more than ten long, complicated, typed quickly etc. passwords without losing your mind? Using a password manager like RoboForm or one of the others mentioned is definitely the way to go. Use one strong password for the software, let the software create really strong passwords for all the sites, then login automatically. Seems to me password management software is the only practical way to use strong passwords on several different sites.

  11. Actually it looks like some sites do have a policy permitting disclosure of the contents of a deceased person’s account (not sure about password itself), if certain documentation proving an eligible relationship is provided. For example, here’s Gmail’s policy:

    mail.google.com/support/bin/answer.py?hl=en&answer=14300

    (Not sure if web addresses can be posted here, so if nothing appears immediately above, go see:
    Google Help > Gmail Help > Your Account > Privacy & Security > Accessing a deceased person’s mail.)

    Maybe it’s not uncommon for sites to have such policies. And if so but one couldn’t meet the strict proof requirements themself anyway, perhaps an eligible family member would agree to perform the procedure for them…

  12. I use Firefox’s Private Browsing function when I check my bank account or pay bills online. That’s another way to protect your privacy and prevent storage of cookies w/ personal data. In the case of my sister passing away, we all wish we could have had her password/s afterward so we could have preserved her “online stuff” for posterity; she was a young mother and stored all her pics in her myspace. We can’t get them now. I suggest (again) keep your passwords in a notebook that is well hidden at home and keep it updated whenever you change a password, which should be regularly.

  13. Roboform is my answer.

    It is too difficult to remember the 200 unique passwords that I have for varying sites. I will grant you that not all of those sites have important information attached to my passwords, but since they require logging in with a password they now all have fully unique passwords.

    I do agree with the secret question garbage. That is fully exploitable.

  14. one more thing about #9…
    “Many sites use your email address as your user name.”

    Well, let’s not be so stupid to use the same password of the mail address, when subscribing to those sites (or in sites that need or store our mail address)!
    I normally use a set of three/four passwords, and never give them together with the mail address they are referred to. The best thing would be to never use the same password twice, or at least to use totally different passwords for mail addresses.

    As to rule #10, I suggest to use web browsers that allow you to erase all of your data and cookies on shutdown. This means, if you close the window, all of your access data will be reset. Browsers like Kmeleon also allow you to put a tiny bar that allows you to clear the cache, cookies, passwords, or all.

  15. Good advice but unrealistic. I couldn’t function without Siber Systems Roboform, an encrypted password storage program (recommended by your site) Its p/w generator will satisfy your need for the most complex and uncrackable passwords. With only one password needed (to access Roboform) you can easily carry a fairly complex password in your head for this purpose. Robofrom2Go puts it a ll on a memory stick so that you can carry your password library with you on travel and use it on any computer while on the go. Their Goodsynch program is also an invaluable tool for keeping the contents of a desktop and a laptop synchronized.

  16. I really don’t understand the rule about secret questions. I have several financial sites that will not allow me access unless I fill out a Q&A. I agree some answers may change over time but by only answering something you wouldn’t forget, it’s easy (Where were you married? Favorite car?). Nobody else has to know you were married at an altar or Porsche.

  17. this80sgirl brings up another dilemma. How do you transfer your passwords to someone else who may legitimately need them after you die or become incapacitated?

    I also don’t understand Rule #2. I thought that you are supposed to avoid any word that is in a dictionary.

  18. If you can’t write down the numberes and can’t remember all of them (I use at least 30 sites requiring passwords) what do you do? My solution is to use few passwords with minor variations of 10-15 character or more. 1smithjones2, 2smithjones1, 12smithjones, etc. examples

  19. I’m surprised that the article didn’t also mention the advice of changing your passwords periodically. At the companies where I have worked, the system requires a password change perhaps every three months. So if I am advised to use a different password for every website and application, and also change them all periodically, how can I possibly keep them all between my ears? Seems like password overload.

  20. I’m surprised by this advice, and do not think it is entirely accurate or practical. I have more than 100+ passwords and keeping them “between my ears” proved impossible. I solved my password problem by getting RoboForm. I have the desktop, Palm PDA, and flash drive (RoboForm2Go) versions, and keep them all synced up so passwords stay current. I only have to remember one password–the Master PW to open up RoboForm. Much better remembering one Master PW than keeping over 100 in my head. That is just not realistic or doable…

  21. to Lorraine, you are right about the dictionary thing! I think what he meant by ‘Dont answer them’ is don’t actually answer the question. This is also what I recommend. If they ask what your favorite movie is, don’t say “Top Gun” say something like “Bottom Rifle” its similar but nobody else would guess. Or put something totally unrelated like your first car, put American Airlines. Who cares as long as you remember and its secure. This is why I actually advocate keeping a list on paper, but well hidden at home, and keeping notes on all your online accounts. I also Print all registration/join forms right before I click Submit. 10 – 13 digits, alpha-numeric are best (example: Alfa0noo3er1k)

  22. I also published my recommendations for passwords here, pretty close to these, look: http://twitzer.com/1xbw I’ve been on the net for 11 years and never been hacked by following my rules on passwords. I do not use password-remembering software either or let IE/Firefox store them, because after my sister died, someone got her laptop and got into all her accounts. So you’re right on that one especially. Great article and advice (except #1 lol) See http://twitzer.com/1xbw

  23. More reasons why the tips in this article are inaccurate and/or inadvisable:

    #2. “Open up a dictionary and open it up to a random word and use that word.”
    — Dictionary-attack password cracking programs will efficiently hit on any word that appears in a dictionary!!

    #5. “Do not answer secret questions.”
    — At many if not most sites that use secret questions you do not have a choice not to set up/answer them!

    #6. “The reason for a long password is different. If someone is looking over your shoulder, or they have seen you type your password a million times, they are less likely to remember a long one.”
    — The MAIN reason is that long passwords (with a good mix of letters/cases, numbers and symbols) can make the difference between cracking programs taking minutes to hit on the correct combo, or hundreds of years!!

    PC Pitstop’s polished-looking newsletter and catchy headlines always draw me in, but really folks, you’re long overdue for implementing a policy of running each proposed article by several tech and ‘net savvy ‘proofers’ (perhaps ideally not all in-house) before it hits print.

  24. There are lots of other, easier ways to help us remember all these passwords. Using some number/symbols substitution within a password is a good way to help protect & remember your password. for example an “E” = “3”, “I” = “1” or “!”, “S” is “$” or “4” (shift off or on).
    When atm cards first came out & people kept forgetting their 4 digit#, recommended putting it in their wallet with other phone#s, like a made up name “john” (only you know its made up) and making last 4 digits your password (ie 555-3659 where 3659 is your PIN.)

  25. I always use the password redbox for everything but I is street smart enough not to tell anyone this passowrd so I is safe. They don’t get me that easy!

  26. Yes I agree that more people should use fingerprint recognition or an encrypted password generator. Oh and John I have read a lot about whole disk encryption and the problem with that is your anti-virus and anti-spyware cannot detect viruses or spyware. The only time would be if you set them to real-time scanning which will of coarse slow down your computer even more on top of the total disk encryption. Meaning it will only detect viruses in files that you are currently using. So the viruses have a lot of places to hide and the weekly virus scan of your computer is pretty much worthless! From the websites that I read the experts say it is a give and take type of thing. Encryption protects you from hackers but leaves you vulnerable to viruses and spyware!

  27. well, here we go agn……… some one wants in to ur puter, they will get in there… pass words or no . if it is man made, it can an will be broken…

    as far as a pass word, it will only keep honest people honest……..

  28. There are a couple of security features I use which in my opinion are highly useful. For one, my computer has a fingerprint reader, so unless someone chops my finger off (after they’ve worked out what one I have recorded) they’re not going to gain access. I tried unlocking software to attempt to reset the password in the interest of science, and that doesn’t work. So tip one from me is, use fingerprint recognition and an encrypted hard disk.

    If you shop online a lot, go with a bank that uses “webcards”. I have a piece of software on my PC that generates a VISA card number for each purchase I make online. You tell the software the highest amount that can be taken on that transaction, and once the “card” has been used, the number is null and void and cannot be used again. Okay, so the card tip isn’t relevant to passwords completely, but worth a mention all the same……

  29. “…or the safety of home.” So what does “safety” mean?
    Besides, nobody can physically get at my computer at home.

  30. These comments are absolute rubbish and totally unrealistic.
    even the Sarah Palin comments were incorrect.
    C’mon guys do your research before writing on a topic.

    Use roboform or keypass to remember all your passwords.
    I have about 100 passwords… how the hell can I keep those between my ears.

  31. I will never accept that we need to be so alarmed when it comes to passwords, hackers, antivirus protection, etc. Pretty much all of the hype concerning security online is grossly exagerated. Oh, and let me guess, is there any profit to be had by such scare tactics. I can think of some.

  32. So are you saying RoboForm is no good? you have been advertising this software tool for quite a number of years, are you now saying its not a good idea to use it?
    TBH I think some of your comments are absolute rubbish, usually the only people who get caught out are those who are stupid enough to allow others access to there computers or are careless with there own information, hence they can only blame themselves and no one else.

  33. Not all is exactly accurate advice. Your Rule #1 – Store all you passwords in your head? Unrealistic advice. Most security experts recommend a good encrypted password safe, like Bruce Schneier’s Password Safe or Keepass. Oh, and studies have recently shown that password length makes no significant difference as long as you are using a decent mix of letters, numbers, and symbols. Type quickly? Probably cause misspelled passwords more than anything! Most password entry boxes don’t show passwords, and as long as people type two-handed no one will pick it up. Don’t use public terminals? Some folks don’t have a choice. It can be done very safely.

    Your best advice above is probably the “secret question” issue. BTW, the Twitter hacker did not gain access to Twitter’s servers by guessing a password; he used the “forgot my password” form and then hijacked the secondary email where the new password is sent – an expired Hotmail account. No password guessing involved at all.

    Jim

  34. I use “Last Pass” AND its password generator. I only have to remember one password and all the others are encrypted. How does this rate on your 1-10 scale ??

    TKS

  35. My bank is coming out with an “instant” password generator. I don’t know all of the possibilities yet; however, the bank said ATMs, online billpaying, login, history and others would get a long, difficult password generated by the computer for every visit. It doesn’t even hold it for two visits.
    Well, I guess it must in order to get to change it. Not sure of this.

    Have you heard any rumors, facts or Gospel Truth about this subject?

    Many thanks.

    Rob
    Cordova, SC

Leave a Reply

Your email address will not be published. Required fields are marked *