Passwords - Part 2

Access denied

Passwords: The Good, The Bad & The Ugly – Part 2

II.      PROTECTING YOUR PASSWORDS

Be mindful of the fact that having strong passwords is not enough. Even though you have the most complex passwords in the world; failure to take a combination of or all of the following steps can result in your passwords being compromised:

1.       Don't store passwords with your laptop or mobile device.

A Post-It note stuck to the outside of your laptop or tablet is "akin to leaving your keys in your car," says The Ohio State University's Office of the Chief Information Officer. Likewise, you shouldn't leave your laptop in your car. It's a magnet for identity thieves. Twitter: @OhioState

2.       Don't write your passwords down.

It's tempting to keep a written list of passwords, or even a single password written down in a notebook or, worse yet, a sticky note. But this is a bad idea, as it makes it extraordinarily easy for someone else to steal your login information and access your accounts without your permission. "Writing your password on a 'sticky-note' and sticking it on your monitor makes it very easy for people who regularly steal passwords to obtain yours. Hiding it under your keyboard or mouse pad is not much better, as these are common hiding places for passwords. However if you must write something down, jot down a hint or clue that will help jog your memory or store the written password in a secure, locked place," says SANS.org. Twitter: @SANSInstitute

3.       Share passwords carefully.

This is a data protection tip that has been emphasized by many security experts, yet there are still many people who fail to follow this advice. The truth is, it is impractical in the modern environment. Families need to share passwords to bank accounts, credit cards, and other online services with spouses, and many share a single login to services like Netflix. In the workplace, there are abundant reasons why co-workers may need to share login credentials. You should not give out passwords without concern; rather, determine when another person legitimately requires access to your personal information or account and grant access on a case-by-case basis. If another person needs access for a single, isolated purpose, change your password when the task is completed and they no longer require access. Another option, suggested in an article on PCMag, is to use a password manager that can share single login credentials with other people without them actually being able to view or interpret the login information. Twitter: @PCMag

4.       Don't use the same password for more than one account or service.

A password manager seems like an even better idea when you consider the fact that you should never use the same password for more than one account or service. Think about it: If a hacker cracks your password on one website, they suddenly have cracked your password for a dozen more. But remembering the slew of passwords the average person would need to recall to access the many accounts and services most people have these days is no simple feat, unless you have a photographic memory. In lieu of a password manager, you could follow Danny Heisner's advice at Cranking the Ranking and create your own password algorithm that makes it simple to remember all your passwords without ever using the same one twice. Twitter: @cranktherank

5.       Don't save passwords in your browser.

Another useful tip from MakeUseOf, this advice suggests that the common practice of 'remembering passwords' in browsers is a dangerous practice. Indeed, should someone gain access to your computer or mobile device, they'd be able to easily access any accounts for which you've stored login credentials in your browser. While it may make logging in more convenient, it's a risky habit in terms of data protection. "Keep an eye out for these pop-ups and be sure to deny them." Twitter: @MakeUseOf

6.       Use more than one email address for different contexts.

Much like using the same password for multiple accounts, using the same email address for every account is a recipe for disaster. That is not to say that you cannot use the same email address more than once, but a good strategy is to use a different email address for different contexts, such as one for personal accounts, one for business-related accounts, one for online retail accounts, and so on. Rich from Securosis says, "One of my favourites is to use different email accounts for different contexts. A lot of security pros know this, but it is not something we have our less technical friends try. Thanks to the ease of webmail, and most mail applications’ support for multiple email accounts, this is not all that hard. Keeping things simple, I usually suggest 4-5 different email accounts: your permanent address, your work address, an address for buying online when you don't trust the store, an address for trusted retailers, and an address for email subscriptions." For more suggestions on the types of accounts to use with each email account, click here. Twitter: @securosis

7.       Don't send passwords or account login credentials over public or unsecured Wi-Fi networks.

"Never, ever send account and password information over an open (unsecure) wireless connection. You are broadcasting to everyone within the radius of your wireless signal, which can be several hundred feet, all of your personal information and account information. They can use this to compromise your accounts (e.g. email, financial, system/application access), steal your identity, or commit fraud in your name," warns the Office of the Chief Information Officer at The Ohio State University. Twitter: @TechOhioState

8.       Regular password changes might not actually be necessary.

Frequent password changes has long been advice offered in security circles, but the practice's efficacy has come into question in recent years. "Security expert Bruce Schneier points out that in most cases today attackers won't be passive. If they get your bank account login, they won't wait two months hanging around, but will transfer the money out of your account right away. In the case of private networks, a hacker might be stealthier and stick around eavesdropping, but he is less likely to continue to use your stolen password and will instead install backdoor access. Regular password changes won't do much for either of those cases. (Of course, in both instances, it is critical to change your password as soon as the security breach is found and the intruder blocked.)," says an article on NBC News. Twitter: @NBCNews

 

Click here to read Passwords - Part 3.....