Stay Informed
Suggested Site

▸ Simple to add and manage gift lists for yourself, your kids, or your business

▸ Secret gift coordination

▸ Duplicate gift protection


www.FAMIGR.com
Click to see a demo
Click to see a demo
How can I help you?
Contact Jeremy

Password Protection

So now you have a great password. That doesn't matter a whole lot of you don't protect it properly.

Storage

Sticky Notes

This laptop has a full list of passwords right on it.
This laptop has a full list of passwords right on it.

Granted using sticky notes is a bad idea, but writing them down isn't necessarily a bad thing. The key is to make sure that the passwords are safe or non-obvious. Keeping them in a notebook in a safe is one idea. Putting them in a file cabinet is another, as long as other people don't know that you're doing that.

So this puts you at some risk for the other people in your house/office, that's way better than putting them in an unprotected computer file!


Password Files

Believe it or not, these are worse than sticky notes
Believe it or not, these are worse than sticky notes

A new trend is for people to put all their passwords in a spreadsheet or text file. This is convenient, but a huge risk! There are so many ways that bad guys can get a peek at the files on your computer that if one of those files is a full listing of names and passwords, then the bad guy has hit the jackpot!

I'm not actually against this in practice, but the key is to protect them (similar to having a notebook in a safe). If you make such a file, make sure it's protected by some strong form of encryption. In my case, Trucrypt.

This is also useful in case you need to send that file somewhere over the Internet or put it on a portable device of some kind. If it's encrypted then an online eavesdropper won't be able to access it and if you lose a portable device, the file will be inaccessible.

Password Managers

There are many password management programs out there, but I can't recommend any. That's not to say they're not great because they may be, but I've never had need to use one since I just encrypt the file itself.

Sure those managers might come with extra features like being able to recognize the site you're on and filling your password for you, but those extra features create another risk. Maybe I can trick the manager into thinking I'm on a different site or to put your password into a plain text field where I can capture it. There are lots of possibilities so I just avoid them.

If you do want to look into this, I've heard that KeePass is good (and it does not autofill your passwords which is good).

Transmission

"Remember Me"

A risk with very little benefit
A risk with very little benefit

Granted this will save you about 6 to 8 seconds every time you log in, but consider the risks of using the "remember me" function on a webpage. What this does is place some identifying information on your computer that the site will use instead of a name and password.

So what happens if someone eavesdrops on the transmission of that identifier? Or if that's protected, what if you computer/cellphone is lost or stolen? Beyond that, I already talked about how there are many ways someone can get into your computer. If they browse around and find one of those files and make a copy, they can log in as you without your name and password!

This is a risk that's just not worth the benefit. On some sites you can select to remember the login name without the password which still saves time and is less of a risk, but there's really no justification for remembering the password. It's a risk with no real benefit.

If you're still not sure, just ask Michael who probably used his Mom's computer to check his Facebook when he was home on break from college:

Don't save passwords. Don't let it ''Remember You'' or this could happen to you too!
Don't save passwords. Don't let it ''Remember You'' or this could happen to you too!

HTTPS

If you enter your name and password without first making sure you have a secure connection from you to the site you're on, anyone else on your network, in your nearby area (if you using wireless), or on the Internet between you and them can see it!

Read my full HTTPS article here for a full description of what it is, why to use it, and how.

The Single Password Issue

Here's something you might not have ever thought about, but should; if someone knows your username and password, they're very likely to try it at major websites and services to see if it will work there. How do they get your username and password? You give it to them!

A typical online registration asks for a username, e-mail address, and a password; everything a bad guy needs to get into every other account you have if you use the same password for all of them.

Every time you go to a website and it requires signup or registration, you have to give a username an e-mail address and a password. But what do you know about the people who own and operate the site? What if a disgruntled or greedy employee decides to try a little Identity Theft on the side?

You handed them your e-mail address, so what happens if they were to go to that web service and enter the e-mail address and password you gave them? If you keep good passwords nothing happens, but if you're the one-password-for-everything type, you're toast.

Even if that doesn't work, does that e-mail/username and password combination work at Facebook? eBay? PayPal? They could try hundreds of the best known sites all using a simple web program. The only defense you have is to not use single passwords!

The Challenge Question Issue

Another major problem is when you are asked to fill in challenge questions. First, if you follow my Geek Privacy Principle, you would never willingly give away information that wasn't necessary. Do you really want to hand over your mother's maiden name to some random website?

Second, if you fill these in, the password reset function may be triggered by the challenge questions instead of your e-mail. That means that if I have or can guess the challenge responses, I may be able to unlock your account without having access to your e-mail account first!

Just ask President Obama, whose Twitter account got taken over and used for spam just because he entered real answers to challenge questions (and go figure that someone in the world knew where he lived, what his dog's name is and so-forth)!

The simplest solution for this is to use a privacy alias. By using fake data that you can easily remember, you're not only making the data you provide worthless to the site you've given it to, but a bad guy won't be able to guess.

The only disadvantage is that you're still giving away the data for your one and only privacy profile. A way around this if you use a password file like I do is to make up challenge answers on the spot and just "write them down" in the file. That way you can remember them while eliminating the risk of that information being used against you somewhere else.

Guide Navigation
prev: Password Tips and Tricks|INDEX|next: Password Mugging

Making Good Passwords

To understand what makes a good password, let's talk about what makes a bad one first.
Making good passwords can be complex, but here are some tips and tricks that will make it easier.

Password Protection

Once you've taken the trouble to make a good password, the next step is to keep it safe!
Now that you've done all this work, you have to learn the most important rule of all: DON'T GIVE THEM AWAY!
IDENTITY THEFT
How to Steal Identities - Why It's So Easy
Credit Freeze
Data Defense
Credit Monitoring
Id Theft Insurance
The Identity Theft Victim's Mini-Guide to Recovery
PRIVACY
The Geek Privacy Principle
Nothing to Hide
Data Abuse
RFID - Radio Frequency IDentification
Privacy Alias/Persona
Data Defense
INTERNET SAFETY
Online Addiction
The Consequences of Posting Online
Photo Safety
Tricks and Scams
Account Hijacking
Trusting Companies
PASSWORDS
Bad Passwords
Password Tips and Tricks
Password Protection
Password Mugging
Computer Security
E-mail Safety
Kids and Computers
Shopping Online
Retailers
All About Warranties

Bad Passwords

To understand what makes good passwords, first check out some of the worst passwords out there and what makes them so bad.

[Click for full description]

Password Tips and Tricks

It's impossible to expect someone to make good passwords by just giving them some rules. There are tricks that make your passwords secure and easy for you all at the same time.

[Click for full description]

Password Protection

It's really a skill to come up with secure passwords that you can remember. Once you've learned how, remember that it doesn't matter how good you are if you don't protect your password properly.

[Click for full description]

Password Mugging

A disturbing new practice among websites and services is where they ask you for your user name and password to other sites. I call this "Password Mugging"

[Click for full description]