|
By
Gabriel Goldberg
Password dilemma: We can't
live an online life without them, but if they're too numerous to remember,
they encourage unsafe practices. What do do?
First, basics. A password is
just the key that opens a computer lock. It may gain access to a
newspaper's online edition, protect banking records, let you bid on
auctions, open a frequent-flyer account, or do anything requiring verified
identity.
Some Web sites assign
passwords; most allow choosing them. Rules for selecting passwords are
easy to find but are often impractical. Don't use easily guessed familiar
names or words; use letters and numbers and special characters? OK. Avoid
anything related to facts about yourself? Makes sense. Don't share
passwords with anyone? Good advice. Change passwords periodically? Oops,
it's a memory
test. Use unique passwords everywhere? Hm, that takes a *lot* of
passwords. Don't write them down or store them in a computer file? Tilt!
Maintaining passwords is a
nuisance. So some people use one password for everything -- a bad idea,
since sharing or compromising one access opens them all. Password
hierarchies are common: use one password for financial matters, another
for commerce, and one for trivials such as newspaper sites. That avoids
revealing your sensitive e-mail/password combination to junk Web sites.
But don't use a common
password for all e-commerce sites (amazon.com, buy.com, etc.) since
they're occasionally hacked. And treat sites like PayPal as financial
rather than e-commerce. And don't just guess which password you used on a
site; some sites lock accounts after just a few failed logins.
As passwords proliferate,
it's common to store them in a computer file. And having too many
site-assigned passwords guarantees the need to record them. But please,
don't call the file "passwords.txt" and don't use the word
"password" in it. The paranoid and geeky encrypt such files, but
that risks losing the file by forgetting the encryption key.
You can print and save
registration pages, but that leads to bulky files, cumbersome to search
and requiring updating. Some people use an address book or print lists of
sites and accounts, then handwrite passwords. But that still needs
updating, and can be lost, destroyed, or found by someone untrustworthy.
If you have multiple email addresses, note which you use on a given site,
since that's often the key for logging in or receiving password reminders.
Hackers use special software
to attack logins, applying dictionary word lists and other guessing
techniques. Passwords are described as "strong" (hard to crack)
if they have at least eight characters, include upper/lower case and
punctuation characters and at least one digit. So even if you use a memory
aid for remembering passwords -- such as words from a poem -- convert them
to strong passwords in a way that only you will know.
High-tech devices can add
security, but they're usually used only in business settings; they include
biometric devices which check fingerprints or eye structure and random
logon-key generators.
Software password managers
are more practical. These record and secure passwords and then auto-fill
online logins. Good ones offer a "don't remember/don't ask"
option to avoid recording info about sensitive sites. Encryption is
desirable but not mandatory; it should be possible to secure the password
manager itself with a master password.
Many managers are free, some
are bought, and common software such as Web browsers and e-mail clients
often includes it. Google returns many hits related to "password
manager" and classy software site Tucows
numbers 300 such tools. Before installing one, make sure it supports your
software applications, especially if they're non-Microsoft.
Many people don't secure home
computers -- but consider cleaners, workers, friends wandering through,
perhaps even having permission to use the computer. Suddenly security
becomes more appealing. If you handle money online, check
banking/financial sites occasionally for unauthorized transactions.
Remember that you may
occasionally need access to secure sites while away from your computer.
You can copy passwords to a thumbdrive or PDA or simply print them, but
remember that they're powerful keys and must be protected. Before
traveling, check your passwords so you're not surprised on the road. If
you leave your computer running, you can access it remotely via tools such
as GoToMyPC.
On business-owned PCs,
separate personal from work-related material. Determine whether your
office has policies for personal computer use and monitoring of computer
activity. Some businesses install keystroke loggers which can capture
passwords before they're encrypted. And remember that system
administrators can often defeat security measures as part of their job, so
you may not want to store sensitive personal material at work.
Work and home PCs both need
disaster preparation, so family members or colleagues can access what's
needed in an emergency. Work-related passwords and instructions can be
stored securely so they're available but can't be secretly used.
For home computers and
facilities such as e-mail and finance, remember that many ISPs and
companies have privacy policies prohibiting revealing information to
family members, even in cases of illness or death. Instructions and
important passwords should be stored with essential family records. Note
that changing situations may require special care -- for example, a
divorce might motivate tight security.
|