Saturday, December 23, 2006

The Perfect Password Practice

By Coenraad De Beer

Our lives are filled with passwords, security questions, personal identification numbers (PINs) and security codes. Almost every digital device and software package has some security feature involving a password. We have hundreds of shopping accounts, email accounts, banking accounts, you name it and each and every one of these accounts has a user name and a password associated with it. Sometimes you feel you are loosing your mind keeping the security of all your accounts and devices together. Here are a few tips to make the job a bit easier and your accounts more secure.

With all the accounts we own and all of the places where we need to use user names and passwords, it becomes a full-time job keeping it all together. The easiest way for most people is to use the same user name and password for all their accounts when possible. Most of the times it is only the user name that differs, but the password often stays the same for every new account they open or device they use. This is extremely dangerous and I will explain why.

There are several ways of leaking out your password. You may just, accidentally, say the password out loud while entering it. If someone was standing nearby, he/she could have easily picked it up and may use it later to gain access to the restricted area protected by the password. Key-loggers installed on your computer can log your password and send it to their owners and spyware programs can extract saved passwords from your cookies or from the saved password list stored in your browser settings. People sometimes write their passwords on a piece of paper and do not keep it in a safe place. What is the use of a key if you leave it in the door? The same principle applies to passwords. A password is the key to a restricted area, you should not let that key lie around for anyone to use. Sending passwords via e-mail is not so wise either and it is 99% of times a sign of a fraudulent activity. You should be careful when people request your password to be sent over the Internet via e-mail. Companies often sent your login details via e-mail. You should print out the details, store the printed copy in a safe place and delete the e-mail. E-mail worms and viruses can easily scan your e-mails for passwords. The different ways of loosing your passwords are endless.

Now what happens when someone steals your password? Chances are good that the perpetrator will break into the account guarded by the password, cause damage and maybe change the password so that you cannot gain access to the account in the future. If you use the same password for all your accounts, you should regard all your other accounts as compromised. The only missing piece of the puzzle for the password theft is to obtain the user name of your other accounts and the chances are good that most of them will also accept the same user name as the breached one. The only comforting thing is to know that the theft has to figure out what other accounts you own. One cannot break into something one does not know the existence of. It is not always possible to change your user name, but it is always possible to change your password. When a widely used password is compromised, you should change the passwords of all your other accounts as quickly as possible to avoid further security breaches. You should also try to regain control of your breached account as soon as possible, by contacting the service provider of the account and explaining the situation to them. This is most important for bank and online shopping accounts.

How should I prevent my password from being stolen?
  • Memorise it. A password or PIN is useless if you need to carry it around with you on a piece of paper, or written on the back of your debit or credit card. Do not share it with anyone, not even your loved ones. Not out of lack of trust, but to limit the number of people knowing your password to one. When there is only one person who knows the password, there can be only one source of leaking it out. More people knowing your password, means more possible sources of leaking.

  • Choose an arbitrary password, a combination of uppercase and lowercase letters combined with numbers and special characters. For instance the password "aS33@bH1" is a good example of one that cannot be guessed easily. You can quickly memorise it by repeating the password over and over in your head. Refrain from saying it out loud, because you can easily compromise it if someone else overhears you saying it. If your name is Ashley, for instance, you can use the password "@$l3y". Although it is more secure than "Ashley", someone can still guess it if the person is familiar with your first name. Your password should not be connected to something like your birthday, social security number or anything that will make it easier for a hacker to guess it.

  • Change your password every now and then. It is not as important for individuals to change their password as it is for large organisations with hundreds of passwords and security codes protecting sensitive data and restricted areas, but it remains a good practice to change your password once in a while. After all, it can do no harm (unless you forget your password or the fact that you changed it).

  • Get yourself a small data organiser (not a PDA or your mobile phone) with a password feature. Store all your account information and passwords under the secure area of this little organiser and put it in a safe place. I also recommend that you write down all the information stored on this organiser on a piece of paper and put it in a steel safe, just in case you loose your data due to battery or device failure. These little data organisers are very suitable for this task because they cannot be connected to the Internet and you cannot load any software on the device to bypass the password. Unfortunately these devices rarely, if ever, encrypt the information stored behind the password, so a clever hacker can easily read the data from the memory chip if he/she has the necessary equipment.

  • Scan your computer regularly for spyware and viruses, preferably on a weekly basis. This will ensure that your computer is free from malicious software stealing your sensitive information or monitoring your activity while using the computer. If your anti-virus or anti-spyware software detects malicious software on your computer, do not enter any password on that specific computer until you are certain that all the threats are completely removed and destroyed.

  • Never store your passwords in a text file, Word document or PDF file. Rather use a password manager if you need to store it on a computer. If possible store it on a computer that is never connected to a network or the Internet. As a rule of thumb, never store your passwords on any computer.

  • Make sure that you enter your password on secure pages with a valid SSL (Secure Socket Layer) certificate. Entering your password on insecure pages could easily compromise the safety of your account.

  • Try not to enter your password while someone is standing nearby. Even if the password is masked on your screen, some people have the ability to memorise the keyboard buttons you press, while watching as you enter it, no matter how fast you type.
Passwords are the security systems protecting our digital assets. You will normally maintain the effectiveness of your security system at home or at the office and you will ensure that it provides adequate protection preventing intruders from trespassing on your property. You should do the same with your passwords to keep those filthy hackers out of your accounts.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users against online scams and malicious software.

No comments: