The same amount of caution you take with your keys and ATM card PIN number should also be applied to online password safety. Do not assume that your computer is safe. There are many ways that your computer can be compromised or abused to pose as you. Here are a few basic rules to protect your computer logins.
Log off when you’re done – Always log off when you’re done working on the computer. If you don’t log off, somebody else can use the machine after you while your session is still active and abuse your privileges. This is especially important if you log into a network, e.g. at work or school, or in a shared environment such as a lab.
Lock your workstation – When you leave your office or cube to go to the bathroom/lunch/smoke break/flirt with the receptionist/whatever, secure your workstation. Either log off or lock it by pressing Ctrl-Alt-Del and selecting Lock computer (for Windows NT, 2000, XP).
E-mail is insecure – Never send password information via regular e-mail. The information is transmitted in clear text and can be intercepted at any point on its journey with packet sniffers. Sending e-mail is the same as writing a letter on a piece of paper, then handing the paper unfolded without envelope to your mailman and have it go through the hands of hundreds of postal workers until it reaches its destination.
Use encryption – If you really have to send confidential information via e-mail use encryption software such as Pretty Good Privacy – PGP – http://web.mit.edu/network/pgp.html. This will encrypt the message and allow it to be read only by the designated recipient using the correct key.
Never distribute login and password together – If you have to pass on login information, always separate the user name from the password, even if you’re using encryption. If they are in the same message and get intercepted the damage is done. But separated one is useless without the other.
Do not use Internet Explorer’s AutoComplete feature – Internet Explorer version 5 and higher includes a feature called auto-complete. It can make life easier by remembering user names and passwords for you that you typed in your browser when logging on to a website or html-based login interface. However, this login information is stored in your registry and can be either retrieved and cracked. Or even easier, somebody else can use your browser and logging in as you by selecting the user name from the dropdown menu and have the password filled in automatically. Turn AutoComplete off and clear its password history by going to Start / Settings / Control Panel / Internet Options / Content / AutoComplete.
Do not use online storage for passwords – Some web sites offer services to help you organize your passwords, keep them in one place, and have them stored online so you can access them from any computer. Nice idea, but how do you know you can trust them? You have no idea how secure their system is. Don’t trust anybody. You also don’t know how long that service will be around and what happens to the data if they go down the river. It has happened more than once that confidential data was discovered on used hard drives and other storage mediums.
Do not check the box to remember your password – Many programs and/or dialog boxes offer a checkbox to remember your password for you. This makes life very convenient but also terribly insecure. Anybody else who uses your machine can use your login information to read your e-mail, access the network, etc. Always take the few seconds it takes to enter your password manually. It’s worth it.
Only transmit data online over a secure connection – When you’re online and have to enter confidential data in a form, such as your credit card number, social security number, driver license number, etc. always check first to see if the data will be transfered over a secure connection. Look for the closed padlock symbol in the bottom right corner of your browser’s status bar. A closed padlock means the information will be transferred encrypted and secure.
Do not assume application-level password protection is safe – Many applications offer built-in security by optional password protection. For example, Word lets you set passwords to read and/or edit documents, WinZip lets you set passwords to open and extract WinZip archives – just to name two. But neither one is safe. Cracking those passwords doesn’t even require any skill. You can download scripts to crack these passwords from the Internet. Don’t story any data in password protected Word documents or Zip files. They are not safe.
Let’s be reasonable
Here are a few tips to make it easier for you to choose a secure password that you can remember and to store it safely.
Make your password a combination of items you know, but in a way that is impossible to guess. For example, take the first two letters of your mother’s maiden name, the third and fourth digit of your Social Security number, the fifth and sixth digit of your license plate, and the seventh and eigth letter of your favorite athlete’s last name. These are all things you easily remember, but combined like this as a password it is extremely hard to crack.
Use keyboard patterns. Look at this password example: z3Z#x4X$c5C% – Looks pretty nasty, doesn’t it? It’s a great password to use. But take a moment to type it on your keyboard and you’ll see there is a pattern to it that can be remembered. Make up your own pattern, be creative. Don’t use a simple one like 12345 or qwerty.
If you have to document your passwords somewhere, do it safely. Use a program like Counterpane’s Password Safe – http://www.counterpane.com/passsafe.html – to store your passwords in an encrypted file.
After reading all these tips and guidelines you’ll probably think “This is impossible! How can I have so many difficult passwords and remember them all without writing them down?” Granted – not many people will be able to observe all guidelines. But hopefully after reading this article you’ll be aware of where your password weaknesses lie and correct them to make them safer. Keep in mind that these guidelines are not made up. Many passwords have been compromised because people did not follow one or more of these rules.
– Alex –