to homepage
 Weekly emails: how to advanced search
 Glossary lookup:


> how to > AppSwitching diary

Thursday, October 31, 2002

How to remember all your passwords

Until more secure sign-on mechanisms evolve, your ID and password is the only line of defense you have against other people gaining access to your online assets. For those of us who manage hosted websites — especially if we use multiple hosted services — that adds up to a lot of vulnerability. It also adds up to a lot of passwords, even more so if you follow the recommendations of security experts to change your passwords as often as once a month. Since effective passwords by their nature are harder to remember, the temptation is to start writing them all down somewhere, which of course undermines the entire exercise.

The only realistic solution is to have a system that reduces the number of passwords you have to remember to a manageable level. For most people, six to eight passwords should be sufficient, provided they're carefully chosen and sensibly maintained. Here are some tips designed to make this as painless as possible, based on my own experience:

Never compromise your passwords — Don't make it easy for hackers to identify your key passwords and authorization codes:

  1. You wouldn't tell someone your credit card pin number over the phone (you wouldn't, would you?) so don't give out your password by phone or in an email.
  2. If you sign up with a service that sends out your email in plain text, regard that password as compromised and don't use it for logins that need to stay secure.
  3. Don't give the same password you use for online banking when you sign up for an ecommerce site you've never heard of.
  4. Many banks and utilities use your mother's maiden name and your place of birth as a security code when you contact them by phone, so don't use these names as online passwords (especially not in conjunction with a reminder phrase that identifies what the names are).

You may trust the provider you're signing up with, but are you confident no-one will hack into their database? If in doubt, err on the side of caution — be safe, not sorry.

Make passwords hard to guess but easy to remember — When making up passwords, start by thinking of words, names and numbers that only you know, preferably from deep in your past rather than the present. For example, the name of the first person you had a crush on, the phone number of your first workplace, the license number of your first car, the name of your first pet, or the nickname of a friend at school — once you start thinking about it, the possibilities are endless. Any of them will work fine for low-security purposes. For doubly secure passwords, combine words and numbers, preferably from different sources, for example the nickname followed by the last four digits of that phone number. For extra-secure passwords, mix upper and lower case letters in a pattern that makes sense only to you, and add an underscore, asterisk or exclamation mark somewhere in between (an example might be, AliMcB!212).

Use the same low-security passwords for the vast majority of sites — Many sites insist on you having a password so that you can log in to modify your user preferences. Very often, you don't store any important or sensitive information at such sites, and it wouldn't matter if someone else started impersonating you. So have one or two passwords that you don't care about to use with such sites. This especially applies to sites run by organizations you're not familiar with, or who you suspect of having poor security policies. Never use the same password on such sites that you use for more sensitive purposes, such as accessing your online banking account.

Have a set of double-security passwords for sensitive, non-financial sites — Although using the same password for multiple sites is a security risk, it's the only practical course if you have a lot of different accounts to maintain. Making those passwords hard to guess reduces the risk, so combine words and numbers for these passwords, and preferably mix upper and lower case characters as well. You can contain the risk by using several separate passwords of this type, so that if one of them is compromised, the others remain secure.

Vary a digit for easier monthly changes — If a system forces you to dream up a new password every month, make it easy on yourself by just varying a digit every month but keeping the basic form the same. You don't have to make it too easy for hackers, though. Instead of counting up from 1 to 9, why not start at 06 and count through the 6 times table? You can be creative without giving yourself a headache.

Keep financial passwords completely separate — Never use the same passwords for accessing financial accounts, such as online banking or trading, as you do for website maintenance or online shopping. It's careless — the only thing worse would be using your PIN number as an online password (you don't, do you?).

Use extra-secure passwords for master accounts — Reserve your top passwords for accounts that control other passwords — for example, if an intruder used the FTP password for your website, they would get access to your .htpasswd file, which would compromise all the passwords stored there, too. These extra-secure passwords are so important they should be changed regularly, provided you can be sure you won't forget your new password!.

posted by Phil 8:18 AM (GMT) | comments | link

Building a website using plug-in online services: the Loosely Coupled experience

read an RSS feed from this weblog



Loosely Coupled weblog RSS source


Copyright © 2002-2006, Procullux Media Ltd. All Rights Reserved.