Protect Your Passwords How many passwords do you have? Think about it for a second. There's your voicemail at home, your voicemail at work, your ATM PIN number, your credit card PIN number, the code for your padlock for the locker at the gym, your login to the network at the office, your login for your ISP at home, your access code for your online banking service, your login for various web sites, software registration keys ... you get the idea - no matter what you do these days you need some kind of key or code or number to gain access to protected data. So you think all your data is protected. But what about your passwords? Do you protect them as much as your data? If you don't keep your passwords safe, then you might as well not have any. Unfortunately many people are guilty of gross negligence when it comes to passwords. Too many people carry paper scraps with passwords around, use insecure passwords, and don't pay attention to where their passwords are going. In this article we'll help you choose secure passwords, keep them safe, and make sure they cannot fall into the wrong hands. Choosing Secure Passwords When you are asked to choose a password it is vital that you choose a secure one. If the password is easy to guess you might as well not have one and invite everybody to steal your data. Here are a few basic rules to create a safe password. Do not be stupid! - This might sound insulting, but it isn't. Do not use the word password as the password, NEVER leave the password blank, do not make the password the same as the user name (where applicable). Countless computers have been cracked because people used these idiotic excuses for passwords. Avoid the obvious - Do not use simple stuff like your birthday, your pets name, name of favorite bands or characters, phone number, social security number, license plate, simple patterns like qwerty, 12345, AAAAAAA, etc. or any of these examples spelled backwards. The easier it is for you to remember, the easier it will be to guess for somebody else who knows a little bit about you. Your password should never be easy! Do not use the dictionary - Scripts to crack passwords try the obvious and easy stuff first, including words that can be found in a dictionary. Be more creative than that. The longer the better - The more characters are in your password the harder it is to crack. With each additional character the number of possible combinations increases exponentially. If possible, make your passwords at least 10 characters long. Mix and match - Choose a password that contains upper and lower case letters, numbers, and other characters. The wilder the combination, the better. Example: k#8(F0%6A=s Change a default password immediately - If you're being assigned a password, you should immediately change it to a new password if at all possible. Never continue to use the default password because they are either easy to guess or chances are that they are documented somewhere. Never use your mother's real maiden name - When being asked on a credit card application or anywhere else for your mother's maiden name, use a fake one. People can easily find out the real maiden name via your birth certificate and marriage certificate. Use a fake one to avoid scammers using the real one to pose as you and get access to your bank or credit card records. Keeping Your Passwords Safe Now you've chosen a secure password - but the best passwords are useless if you don't keep them safe. Since your passwords are the key to your life you should protect them accordingly. Here are a few basic rules to protect your passwords. Do not write them down in your day planner - Some people keep their life in their day planners, including a list of their passwords. If that planner gets lost or stolen, you're screwed. Do not store them in your PDA - Same case as with day planners. PDA are lost or stolen very easily. Do not let your life get lost or stolen with your PDA. Do not store them in your wallet - Many people carry scraps of paper with passwords scribbled on them in their wallets. It's already bad enough that most people have their credit cards, driver licenses, and social security numbers in their wallet. Do not make it worse by adding your passwords and PIN numbers. Do not share your passwords - You should be the only person in the world who knows those codes. They are nobody else's business, and that includes spouses, best friends, coworkers, etc. There are countless cases where people got screwed because they shared passwords with people initially thought trustworthy. Be especially suspicious if somebody wants to verify your password or asks you for it in any form. Scam artists try to pose as a representative from your bank/ISP/whatever and call to verify your password with some cockamamie story. There is never a reason to tell anybody your password. Do not reuse old passwords - Always generate fresh and new passwords that do not carry the possibility og having been compromised in the past. Do not use the same password for multiple accounts - Use unique passwords for each account or login. This way, if one is being compromised, your other accounts are still safe. Change your passwords on a regular basis - As a precautionary measure you should change your passwords periodically, just in case somebody saw you type it or somehow found out about one of them. Computer Password Security The same amount of caution you take with your keys and ATM card PIN number should also be applied to online password safety. Do not assume that your computer is safe. There are many ways that your computer can be compromised or abused to pose as you. Here are a few basic rules to protect your computer logins. Log off when you're done - Always log off when you're done working on the computer. If you don't log off, somebody else can use the machine after you while your session is still active and abuse your privileges. This is especially important if you log into a network, e.g. at work or school, or in a shared environment such as a lab. Lock your workstation - When you leave your office or cube to go to the bathroom/lunch/smoke break/flirt with the receptionist/whatever, secure your workstation. Either log off or lock it by pressing Ctrl-Alt-Del and selecting Lock computer (for Windows NT, 2000, XP). E-mail is insecure - Never send password information via regular e-mail. The information is transmitted in clear text and can be intercepted at any point on its journey with packet sniffers. Sending e-mail is the same as writing a letter on a piece of paper, then handing the paper unfolded without envelope to your mailman and have it go through the hands of hundreds of postal workers until it reaches its destination. Use encryption - If you really have to send confidential information via e-mail use encryption software such as Pretty Good Privacy - PGP - http://web.mit.edu/network/pgp.html. This will encrypt the message and allow it to be read only by the designated recipient using the correct key. Never distribute login and password together - If you have to pass on login information, always separate the user name from the password, even if you're using encryption. If they are in the same message and get intercepted the damage is done. But separated one is useless without the other. Do not use Internet Explorer's AutoComplete feature - Internet Explorer version 5 and higher includes a feature called auto-complete. It can make life easier by remembering user names and passwords for you that you typed in your browser when logging on to a website or html-based login interface. However, this login information is stored in your registry and can be either retrieved and cracked. Or even easier, somebody else can use your browser and logging in as you by selecting the user name from the dropdown menu and have the password filled in automatically. Turn AutoComplete off and clear its password history by going to Start / Settings / Control Panel / Internet Options / Content / AutoComplete. Do not use online storage for passwords - Some web sites offer services to help you organize your passwords, keep them in one place, and have them stored online so you can access them from any computer. Nice idea, but how do you know you can trust them? You have no idea how secure their system is. Don't trust anybody. You also don't know how long that service will be around and what happens to the data if they go down the river. It has happened more than once that confidential data was discovered on used hard drives and other storage mediums. Do not check the box to remember your password - Many programs and/or dialog boxes offer a checkbox to remember your password for you. This makes life very convenient but also terribly insecure. Anybody else who uses your machine can use your login information to read your e-mail, access the network, etc. Always take the few seconds it takes to enter your password manually. It's worth it. Only transmit data online over a secure connection - When you're online and have to enter confidential data in a form, such as your credit card number, social security number, driver license number, etc. always check first to see if the data will be transfered over a secure connection. Look for the closed padlock symbol in the bottom right corner of your browser's status bar. A closed padlock means the information will be transferred encrypted and secure. Do not assume application-level password protection is safe - Many applications offer built-in security by optional password protection. For example, Word lets you set passwords to read and/or edit documents, WinZip lets you set passwords to open and extract WinZip archives - just to name two. But neither one is safe. Cracking those passwords doesn't even require any skill. You can download scripts to crack these passwords from the Internet. Don't story any data in password protected Word documents or Zip files. They are not safe. Let's be reasonable Here are a few tips to make it easier for you to choose a secure password that you can remember and to store it safely. Make your password a combination of items you know, but in a way that is impossible to guess. For example, take the first two letters of your mother's maiden name, the third and fourth digit of your Social Security number, the fifth and sixth digit of your license plate, and the seventh and eigth letter of your favorite athlete's last name. These are all things you easily remember, but combined like this as a password it is extremely hard to crack. Use keyboard patterns. Look at this password example: z3Z#x4X$c5C% - Looks pretty nasty, doesn't it? It's a great password to use. But take a moment to type it on your keyboard and you'll see there is a pattern to it that can be remembered. Make up your own pattern, be creative. Don't use a simple one like 12345 or qwerty. If you have to document your passwords somewhere, do it safely. Use a program like Counterpane's Password Safe - http://www.counterpane.com/passsafe.html - to store your passwords in an encrypted file. In Conclusion After reading all these tips and guidelines you'll probably think "This is impossible! How can I have so many difficult passwords and remember them all without writing them down?" Granted - not many people will be able to observe all guidelines. But hopefully after reading this article you'll be aware of where your password weaknesses lie and correct them to make them safer. Keep in mind that these guidelines are not made up. Many passwords have been compromised because people did not follow one or more of these rules. http://www.PCNineOneOne.com