Password Advice

Monday, August 10, 2009

Here's some complicated advice on securing passwords that -- I'll bet -- no one follows.

  • DO use a password manager such as those reviewed by Scott Dunn in his Sept. 18, 2008, Insider Tips column. Although Scott focused on free programs, I really like CallPod's Keeper, a $15 utility that comes in Windows, Mac, and iPhone versions and allows you to keep all your passwords in sync. Find more information about the program and a download link for the 15-day free-trial version on the vendor's site.

    DO change passwords frequently. I change mine every six months or whenever I sign in to a site I haven't visited in long time. Don't reuse old passwords. Password managers can assign expiration dates to your passwords and remind you when the passwords are about to expire.

    DO keep your passwords secret. Putting them into a file on your computer, e-mailing them to others, or writing them on a piece of paper in your desk is tantamount to giving them away. If you must allow someone else access to an account, create a temporary password just for them and then change it back immediately afterward.

    No matter how much you may trust your friends or colleagues, you can't trust their computers. If they need ongoing access, consider creating a separate account with limited privileges for them to use.

    DON'T use passwords comprised of dictionary words, birthdays, family and pet names, addresses, or any other personal information. Don't use repeat characters such as 111 or sequences like abc, qwerty, or 123 in any part of your password.

    DON'T use the same password for different sites. Otherwise, someone who culls your Facebook or Twitter password in a phishing exploit could, for example, access your bank account.

    DON'T allow your computer to automatically sign in on boot-up and thus use any automatic e-mail, chat, or browser sign-ins. Avoid using the same Windows sign-in password on two different computers.

    DON'T use the "remember me" or automatic sign-in option available on many Web sites. Keep sign-ins under the control of your password manager instead.

    DON'T enter passwords on a computer you don't control — such as a friend's computer — because you don't know what spyware or keyloggers might be on that machine.

    DON'T access password-protected accounts over open Wi-Fi networks — or any other network you don't trust — unless the site is secured via https. Use a VPN if you travel a lot. (See Ian "Gizmo" Richards' Dec. 11, 2008, Best Software column, "Connect safely over open Wi-Fi networks," for Wi-Fi security tips.)

    DON'T enter a password or even your account name in any Web page you access via an e-mail link. These are most likely phishing scams. Instead, enter the normal URL for that site directly into your browser, and proceed to the page in question from there.

I regularly break seven of those rules. How about you? (Here's my advice on choosing secure passwords.)

Original Source:
http://www.schneier.com/blog/archives/2009/08/password_advice.html
Possibly Related Articles:
7643
General Operating Systems General
Passwords
Post Rating I Like this!
Default-avatar
Lee Brown While I can certainly see the need to differentiate between accounts that access valuable info (such as bank, or online retailers that store your CCN), it baffles me that one needs to apply the same standards to passwords for accounts used to leave comments or to search content. And there are gray area accounts, such as Facebook - seems to me it depends on what you put in Facebook (how many of us are still entering our real birthday?!?)
1250079883