whit537

My Homepage

My name is Chad Whitacre. I am the Director of Information Technology and Webmaster at the Anglican Communion Network. I write free software, and I am religious.

NB: These are my opinions and not necessarily (for example) yours.

Friday, July 27, 2007

Build a better password

You use the same password for everything. So if someone compromises your Hotmail account, they get your bank account too.

Your password is as predictable as "secret123". So someone can write software to guess your password.

You really ought to use different passwords that aren't easily guessed. But that makes them hard to remember. What do you do? Here's a simple plan.

Triage

First, divide your online life into three security levels, based on the sensitivity of the information you're sharing and the reputation of the account provider:
  1. Throw-away. Accounts that you don't really care about and/or are more likely to be compromised. Maybe a toy MySpace page or a free email account that you rarely use
  2. Normal. The sites and email accounts that you use on a daily basis
  3. Ft. Knox. Your bank accounts, basically

Good Passwords

Then, give each security level it's own password. To help you pick good passwords, I've built The Easy Password Generator (geek note: it's a CGI around apg). Each time you load the page, it spits out seven passwords that are hard to guess but are still pronounceable.

Pick your favorite one. These passwords look weird at first, but because you can pronounce them, you'll find that they stick in your head after only a few times typing them in. The best idea is to write the passwords down, and shred the paper once you've truly memorized them.

Encryption

Lastly, learn to look for the little lock icon that indicates a so-called "encrypted" connection. Here's what it looks like on the web (you'll also notice that the address starts with "https" instead of "http"):
screen snippets of HTTPS indicators for Firefox 1.5 and IE7
People write software to eavesdrop on your online activities, and wireless networks make "sniffing" much easier than before, raising the risk immensely. However, when you use an encrypted connection, anyone eavesdropping will hear only garbage. Therefore, you should only ever send sensitive information—passwords, credit card numbers, your social security number, etc.—over an encrypted connection.

Now, not every website supports encrypted connections for every page, so here are some rules of thumb:
  • If a site does not use encryption on the page where you enter your password, it's a Throw-away site.
  • If a site uses encryption for the password page but not for some other pages, it's at best Normal.
  • Ft. Knox sites must use encryption all the time.
You should also use an encrypted connection when you connect to an email server with Outlook or Thunderbird. However, whether that's possible depends on the way your email server is set up. Talk to your system administrator or IT person about encrypted email connections, and complain if they're not available.

Conclusion

So to sum up, use at least three different, hard-to-guess passwords, and be aware of a site's encryption when sending passwords and other sensitive information. If you follow these guidelines, you'll be much safer from password-based online security risks.

Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Blog Archive