A reporter from Wired magazine recently got schooled in password security, which generated a lot of conversation in the tech space on keeping yourself safe in cyberspace. There is one simple thing to do to stay safe in cyberspace: stay out of it.
That’s what I thought. So here’s the rundown: Strong passwords, different passwords, different cards, non-obvious hints and reminders, and constant vigilance.
A password is considered strong when it meets these criteria:
- US-ASCII character encoding
- At least eight characters
- At least one uppercase character
- At least one lowercase character
- At least one number
That’s a minimum. Some say 15 characters and at least one non-alphanumeric character, and others include a restriction against dictionary-based words. So MinnieMouse1 would meet the criteria in the bullets but is still VERY weak. Password cracking software can grab that in a matter of seconds, and social engineering would reveal it in a few encounters. I did hear one security expert say that passwords made of several unrelated words can make strong passwords: ponchochairrocksblanket may not meet the criteria in the bullets, but it would take more time for cracking software to bust than MinnieMouse1.
Next week I’ll tell how to make a strong password, but this week, just know that it’s one—and only one—brick in your wall.
After you make your first strong password, you’ll want to use it everywhere. Don’t. Should an identity thief figure out that you have one password that you use everywhere, you are owned. You should have several. Some need to be strong, but not all of them do. If you need a password to log into a site that doesn’t store any of your personally identifiable information, you can use a “junk” password. But that “junk” password should NOT be the one you use to log into your bank, your health insurance, your 401(k) website. In fact, all those should be different from each other. Yes, that’s a lot to remember; I’ll address that too.
If possible, do not use the same payment card at all websites. I know it’s convenient to do, but once again, if a thief knows the last four digits of a card you use at one site, he knows the last four digits of the card you use everywhere else, and in the story about the writer, when the thief called customer service for one of the websites, the customer service rep asked for the last four digits of the card associated with the site, which the thief had gotten from the previous site he had gained access to. Some services, like iTunes, require you to have a card associated with the whole account. Other sites allow it but don’t require it. Just remember, if you’re doing something that makes it quick, easy and convenient for you, you’re also making it quick, easy and convenient for a thief.
Different email address
When you sign up with some websites, you may be required to provide an email address. If this is not a website you definitely know you want to receive regular emails from, use a “junk” email address. I still have an old Yahoo account that I visit from time to time to see if there’s anything from Eddie Bauer or Home Depot I really want to see this week. You can always change the contact information at a website if you decide you would rather have their messages coming to your “real” email address.
Non-obvious hints and reminders
Most of your life is a matter of public record. Your mother’s maiden name is not difficult to obtain. The school you graduated from, where you were on News Year’s Eve 1999—none of that is private, especially if you live on the web. Make stuff up. It’s unlikely an identity thief will spend a lot of time trying to figure out that your mother’s maiden name is “Snarfblatt,” when all public records indicate that it is Henry. Or that your favorite teacher’s last name was Henry when there was nobody by that name at your school. The idea behind having hints is that they should be easy to remember. But if they’re easy to remember, they’re also easy to crack.
As Mad-Eye Moody told his Hogwarts students, “Constant vigilance!” If you hate checking your bank balances once a month, you’re a target for identity theft. If you hate doing it weekly, you’re a target. If you hate doing it daily, you’re a target. If you love doing it hourly, you’re a target. Everyone is a target for identity theft. Watching your balances weekly (daily is better) won’t prevent theft, but the sooner you spot something irregular the quicker you can get it stopped and corrected. You have a limit of time on filing claims and charges of identity theft, and your life will be in turmoil until you get it resolved. Know your bank’s policy on identity theft and know in advance what you will need to do if you suspect you’re a victim.
How do I remember all my passwords and hints?
This is the difficult part for most people. You must remember that if it’s easy for you, it’s easy for a thief. You would love the pleasure of just turning your doorknob and walking into your house, but you lock the door when you leave. You just need to get in the habit of remembering where you park your cyberkeys and passwords. There are secure storage spots for cyberkeys, some of my geek mentors suggest LastPass and KeePass. I know of people who use a password protected thumb drive, others who use an encrypted drive. Some people have a password protected spreadsheet with a strange name stored on their computer in an unlikely file location. Hackers who scan your computer looking for files need to do it quickly without leaving footprints, so they will scan places like “desktop” and “documents.” You can put folders in other folders, just remember what you call the file. I also recommend that you use a text file if you do this, because a lot of programs use text files in strange places. Call it something that ends with .log or .txt or something you see a lot of; it’s camouflage.
I do not recommend trying to do all of this at once. Start with one thing you know you can implement today and get it going. I think the easiest place to start is with where and how you store the passwords. Address that one today, spend some time on thinking about how you want to address the rest, and then next week I’ll tell you how to make strong, secure passwords.