Wednesday, June 4, 2008

Does your password pass the test?



This post is the latest in an ongoing series about online safety. - Ed.

One of the things I work on is password security. And because I'm someone who pays close attention to passwords and how people use them, I sometimes hear interesting stories. For example, a couple of my colleagues are so careful about the security of their passwords that they generate a random eight-character string, memorize it, and then use it as their password for two to three months. After that time elapses, they start the process over again and generate a new random password.

Do we all need to be that careful about our passwords? Probably not. But passwords are one of the web's most important security tools. Whether it's for your Google account, your banking center, or your favorite store, choosing a good password and keeping it safe can go a long way toward protecting your information online.

So how do you choose a good password, and then keep it safe? A few of these tips can help:
  • Avoid common elements when choosing your password. Specifically, you should avoid using words or phases from the dictionary, especially things that are easy to guess, like "password," "let me in," or the name of the site you're logging into. You should also avoid using keyboard patterns, such as "asdf1234" or "aqswdefr," or personal information, such as birthdays, addresses, or phone numbers.
  • Make your password as unique as possible. Once you've settled on a good base for your password, you should go a step further and add in numbers and non-alphanumerical characters, mix in upper-case letters, or use similar-looking substitutions for parts of the password, such as "$" for "s," "1" for "l," and "0" for "o."
  • Create different passwords for different sites. Doing so will help ensure that if one password is compromised, the others will remain secure. You may not be able to have a unique password for every place you visit on the web (for some of us, that would be a lot of passwords to manage), but alternating between a set of different passwords across the web and making sure all accounts that contain highly sensitive information (like email accounts or online banking accounts) have unique passwords is a good place to start.
  • Don't share your passwords with anyone. Not family, not friends, not anyone. This may seem a little strict, but the reality is the more people you share your password with, the greater your chances of having that password compromised will be. Also, if you need to write your passwords down, keep them away from your computer, and never send them in emails. And if you suspect someone might have discovered one of your passwords, change it immediately.
  • Be careful how you share your information online. Some online services -- such as social networking sites and gadgets that scrape information from other products -- may ask you for a password or an API key. If you choose to use these kinds of services, take a few minutes to learn more about what they do to keep your sensitive information secure. And just like sharing passwords with other people, you should be aware that sharing this information increases the chances that it could be compromised.
Another thing that can help keep your password secure is choosing a good security question and answer on the sites that offer that option. You've probably seen this before: When you're creating an account on many sites, you will be asked to choose a question to verify your identity if you forget your password.

Some sites will let you write in your own question; in these cases, you should make sure the Q&A you create isn't something that's easy to guess or something that your family and friends would know. Other sites will present you with a list of preset questions to choose from, such as "What is your mother's maiden name?" These kinds of questions are less secure, as they're easier for other people to guess the answer. In these cases, you should find a way to make your answer unique -- whether it's using the tips above, or by adding in other information -- so that even if someone guesses the answer, they won't know how to enter it properly.

Read more about choosing a good password and security question.

No comments:

Post a Comment