Yes, it's THAT book!

Drop your email here to stay informed of the status of my "tell most" book about the National Security Agency:

--OR--

Read a little about the book here:

Employees are allies, not the adversary

--OR--

Check out the Kickstarter here (click)
How can I help you?
Contact Jeremy
Recommendations

Here's something that


I, Jeremy Duffy, actually recommend and think is worth checking out.
No web-bugs, no bs, just a legit recommmendation that I have personally evaluated before allowing it to be listed here:

Think something's here that shouldn't be? contact me!

Password Protection

So now you have a great password. That doesn't matter a whole lot of you don't protect it properly.

Storage

Sticky Notes

This laptop has a full list of passwords right on it.

Granted using sticky notes is a bad idea, but writing them down isn't necessarily a bad thing. The key is to make sure that the passwords are safe or non-obvious. Keeping them in a notebook in a safe is one idea. Putting them in a file cabinet is another as long as other people don't know that you're doing that.

So this puts you at some risk for the other people in your house/office, that's way better than putting them in an unprotected computer file!


Password Files

Believe it or not, these are worse than sticky notes

A new trend is for people to put all their passwords in a spreadsheet or text file. This is convenient, but a huge risk! There are so many ways that bad guys can get a peek at the files on your computer that if one of those files is a full listing of names and passwords, then the bad guy has hit the jackpot!

I'm not actually against this in practice, but the key is to protect them (similar to having a notebook in a safe). If you make such a file, make sure it's protected by some strong form of encryption. In my case, Trucrypt.

This is also useful in case you need to send that file somewhere over the Internet or put it on a portable device of some kind. If it's encrypted then an online eavesdropper won't be able to access it and if you lose a portable device, the file will be inaccessible.

Password Managers

There are many password management programs out there, but I can't recommend any. That's not to say they're not great because they may be, but I've never had need to use one since I just encrypt the file itself.

Sure those managers might come with extra features like being able to recognize the site you're on and filling your password for you, but those extra features create another risk. Maybe I can trick the manager into thinking I'm on a different site or to put your password into a plain text field where I can capture it. There are lots of possibilities so I just avoid them.

If you do want to look into this, I've heard that KeePass is good (and it does not autofill your passwords which is good).

Transmission

"Remember Me"

A risk with very little benefit

Granted this will save you about 6 to 8 seconds every time you log in, but consider the risks of using the "remember me" function on a webpage. What this does is place some identifying information on your computer that the site will use instead of a name and password.

So what happens if someone eavesdrops on the transmission of that identifier? Or if that's protected, what if you computer/cellphone is lost or stolen? Beyond that, I already talked about how there are many ways someone can get into your computer. If they browse around and find one of those files and make a copy, they can log in as you without your name and password!

This is a risk that's just not worth the benefit. On some sites you can select to remember the login name without the password which still saves time and is less of a risk, but there's really no justification for remembering the password. It's a risk with no real benefit.

If you're still not sure, just ask Michael who probably used his Mom's computer to check his Facebook when he was home on break from college:

Don't save passwords. Don't let it ''Remember You'' or this could happen to you too!

HTTPS

If you enter your name and password without first making sure you have a secure connection from you to the site you're on, anyone else on your network, in your nearby area (if you using wireless), or on the Internet between you and them can see it!

Read my full HTTPS article here for a full description of what it is, why to use it, and how.

The Single Password Issue

Here's something you might not have ever thought about, but should; if someone knows your username and password, they're very likely to try it at major websites and services to see if it will work there. How to they get your username and password? You give it to them!

A typical online registration asks for a username, e-mail address, and a password; everything a bad guy needs to get into every other account you have if you use the same password for all of them.

Every time you go to a website and it requires signup or registration, you have to give a username an e-mail address and a password. But what do you know about the people who own and operate the site? What if a disgruntled or greedy employee decides to try a little identity-theft on the side?

You handed them your e-mail address so what happens if they were to go to that web service and enter the e-mail address and password you gave them? If you keep good passwords nothing happens, but if you're the one-password-for-everything type, you're toast.

Even if that doesn't work, does that e-mail/username and password combination work at Facebook? eBay? PayPal? They could try hundreds of the best known sites all using a simple web program. The only defense you have is to not use single passwords!

The Challenge Question Issue

Another major problem is when you are asked to fill in challenge questions. First, if you follow my Geek Privacy Principle, you would never willingly give away information that wasn't necessary. Do you really want to hand over your mother's maiden name to some random website?

Second, if you fill these in, the password reset function may be triggered by the challenge questions instead of your e-mail. That means that if I have or can guess the challenge responses, I may be able to unlock your account without having access to your e-mail account first!

Just ask President Obama who's Twitter account got taken over and used for spam just because he entered real answers to challenge questions (and go figure that someone in the world knew where he lived, what his dog's name is and so-forth)!

The simplest solution for this is to use a privacy alias. By using fake data that you can easily remember, you're not only making the data you provide worthless to the site you've given it to, but a bad guy won't be able to guess.

The only disadvantage is that you're still giving away the data for your one and only privacy profile. A way around this if you use a password file like I do is to make up challenge answers on the spot and just "write them down" in the file. That way you can remember them while eliminating the risk of that information being used against you somewhere else.

passwords Tutorial
prev: Password Tips and Tricks|INDEX|next: Password Mugging

Making Good Passwords

To understand what makes a good password, let's talk about what makes a bad one first.
Making good passwords can be complex, but here are some tips and tricks that will make it easier.

Password Protection

Once you've taken the trouble to make a good password, the next step is to keep it safe!
Now that you've done all this work, you have to learn the most important rule of all: DON'T GIVE THEM AWAY!

Share This

Have a Comment or Question?

Loading...

If you want to learn more about my professional background, click here to learn more.

Check out one of my guides/tutorials:

shopping online Tutorial
|INDEX|next: Research Products
If you like to keep your money and safe yourself the trouble and hassle of getting nailed by a bad or fraudulent retailer online, you need to learn to identify them before it's too late.
Before you buy anything, utilize the vast power of the Internet to research products and pick the best one possible.
You're about to pay for something, but what's the safest way to do it?

Related Guide

Once you've gone through the trouble to make an online account with a company, make sure you protect your passwords properly

... or check out any of my other guides and tutorials by clicking here!

Bad Passwords

To understand what makes good passwords, first check out some of the worst passwords out there and what makes them so bad.

[Click for full description]

Password Tips and Tricks

It's impossible to expect someone to make good passwords by just giving them some rules. There are tricks that make your passwords secure and easy for you all at the same time.

[Click for full description]

Password Protection

It's really a skill to come up with secure passwords that you can remember. Once you've learned how, remember that it doesn't matter how good you are if you don't protect your password properly.

[Click for full description]

Password Mugging

A disturbing new practice among websites and services is where they ask you for your user name and password to other sites. I call this "Password Mugging"

[Click for full description]

Validating Webstores and Services

It can be hard to know who to trust and who to not trust online, but there are things you can do to verify who the good guys and bad guys are before it's too late.

[Click for full description]

Research Products

One of the best things about shopping online is the ability to research information online.

[Click for full description]

Paying Online

Ever been nervous about paying online for something. Just take a second to learn about the various options and put your mind at ease.

[Click for full description]