March 11, 2010

Do Not Pass Go… without a good password

Information Level: Basic

Account theft, credit card fraud, not to mention full-blown identity theft, are becoming an ever more serious threat to everyone. Your first line of defense is the passwords you use online… are they up to the challenge?

If any of your passwords is a single word that can be found in the dictionary, the answer is NO. Such simple passwords can be “brute forced” with a dictionary attack easily – a criminal simply sets up a program to guess all the words in the dictionary, and will find the right one in minutes.

To make sure you have strong passwords, follow these rules:

  • All your passwords should be longer than six characters and include a mix of uppercase (ABCDE), lowercase (abcde), numbers (12345), and special characters (?!@#$%^&*).
  • Your password should never be a name, a slang word, or any word in the dictionary. It should never include part of your name or your email address.
  • When possible, use passphrases instead of passwords. Even if you’re limited on the number of characters you can use, turn a long phrase into a jumbled short one. “Soup and salad go together” can become “SaSg0T0g3th3r!”.
  • Use a DIFFERENT password for every single account you access, so that if the company you have the account with gets compromised, the criminals will not have the password you use for all your accounts.
  • Use STRONGER answers for “security questions” than the passwords you make – don’t make it easy for a criminal to simply reset your password by guessing the answer to an easy security question.

Now that you have good passwords, don’t write them down or allow your programs to save them! If you allow applications to save your passwords, anyone with physical access to your PC can use them and access your accounts. Even assuming that the people in your house, and those you allow into your house, are trustworthy enough not to ever steal your passwords, your computer/laptop is a prime target for burglary/theft.

Once you allow an application to “Remember Password,” it’s all over. Even if your Windows account is password protected. Once someone has physical access to your computer, they can easily circumvent the Windows login security and recover saved passwords from Outlook, Instant Messenger, Wi-Fi, Internet Explorer, Firefox, Chrome, or any number of other applications.

Since you shouldn’t let you applications remember all those passwords, and writing them on a sticky-note stuck to your monitor is a BAD idea, how do you keep track of them all?

There is a secure way to store all your passwords: use a “password manager,” a program that stores all your account passwords, but keeps them safe by encrypting them. There are several great password managers to choose from. The one I use and recommend is Keepass. It’s free and it works great. Use it to store you passwords, combined with a STRONG master password to protect the rest of your saved passwords, and now all you have to remember is one master password.

Another tool I use to store passwords is Firefox – it has a full password manager built right into the application. I know I said earlier that checking “save password” in an application is a very bad thing. Well, here is the exception. You can use use Firefox to save the passwords for all your web accounts – as long as you enable a Firefox Master Password by going to “Tools” –> “Options” –> “Security” and checking the box for “Use a master password.” Once you’ve done this, Firefox will safely store all of your online passwords, encrypted so only you can access them – just make sure you use a master password with more than 10 alpha-numeric characters.

Now, each time you start Firefox and go to a site that requires a saved password, you’ll be first prompted for your master password. By default, the master password authentication will be active for the entire session, so you won’t have to enter it again until you close and restart Firefox.

The most important thing after making sure you have your data safe (BACKUP!) is making sure no one else can get it. Using strong passwords goes a long way toward doing that, and using a password manager lets you do that without having to remember dozens of passwords.