Protecting Your Passwords
Online security represents a balancing act between security and convenience, and security researchers say most users make poor choices when they create their passwords.
PC users have long regarded passwords as a necessary evil and, although they generally understand the need to have a strong password, most dilute their online security by choosing easy-to-guess passwords or using the same passwords on a wide range of sites.
What's the risk of weak passwords? Web-based email and documents sites generally rely only on a user ID and password combination for protection. And with more small businesses relying on applications and data that are accessed online, choosing strong passwords and changing them on a regular basis is more important than ever.
Mistakes to Avoid
One of the most common mistakes people use when they select passwords is using very obvious candidates such as "password" or "qwerty" (the first six letters in the top letter row on a standard keyboard).
A study of usernames and passwords harvested when criminals created a fake log-in page for the social networking site MySpace revealed common passwords such as:
Other easy-to-guess passwords can include pet names, hometowns, street names, and similar information that many users display on social networking sites without thinking about the consequences. Put a few clues online and someone running a Google search may find enough other details to complete the picture, or to make informed guesses.
These easy-to-learn details can be especially dangerous when used with a weak password recovery system on a site. Someone could hit the "Forgot your password?" link on a site, for instance, and answer the verification questions to change a password and take over an account by locking out the legitimate user.
A related mistake many people make is using the same user ID and password combination on a variety of sites. While this approach means your passwords are easier to remember, it increases the risk of having your password compromised in several places if someone guesses it, or if a rogue employee at a legitimate site hacks users' passwords.
Similarly, just about any word that's been printed in a dictionary can be guessed using password-recovery programs that are used by the good guys as well as the bad guys. Most Web sites will lock out accounts after a number of unsuccessful log-in attempts to guard against these types of attacks.
Security researchers advocate using a phrase known only to you as the basis for a password that seems to be gibberish, but is still easy to remember. Including uppercase letters and numbers increases the complexity and security of your password. For instance, you could use an expression such as "My favorite sandwich has Bacon and 704 calories" to derive the password "MfshBa704c." With 10 characters, a blend of upper- and lowercase letters, and numbers, this expression would form a strong password (as well as a reminder to eat healthier sandwiches once in a while).
One potential drawback of this approach is the need to create specific phrases for different sites to avoid falling into the repeated-password trap we described earlier.
With the need to manage an ever-growing list of ever-complex passwords, more users are turning to password management applications for help. Programs available for Windows and Macintosh computers can generate strong passwords comprised of random character strings, and store those passwords (and user IDs) on your computer. To log onto a password-protected site, the password management application enters the information into the appropriate fields.
Most password management programs give you the option of having to enter a master password as it launches, or when it's going to log you in to a site. This approach allows users to remember a relatively simple password on their computer, and a more complex one for the Web site.
Some applications keep your passwords only on your computer, while others give you the option to encrypt your data and store it on a secure Web site (assuming users are willing to trust the site enough to upload their passwords).
If you're only going to store your passwords on your PC, look for a program with an option to export your password list so you can maintain a current backup. You wouldn't want a hard-drive failure on your primary computer to wipe out your password list. You'd probably be able to recover the passwords from the individual Web sites, but would face a lot of time and effort to do so.
A password management program, and devoting some time and attention to choosing good passwords, will go a long way to helping you tip the security/convenience factor more toward protecting yourself online.