The questions and tips below are to help us keep safe and secure when we use passwords.
1. Do you use an ‘easy’ password?
A password is more secure if there is nothing obvious about it. It is best to avoid family names, pet names, in fact any plain English words or names, significant numbers like dates, birthdays, phone numbers, street address numbers, vehicle plate numbers and so on.
The best, strongest passwords are long and random. Also they contain letters AND numbers. They have a mixture of UPPER and lower case characters.
Also, if you can, it is even better to include some ‘extended’ characters, such as the underscore (_), percent sign (%), tilde (~) or plus sign (+).
On some websites you might find that some of these characters are disallowed. Don’t worry, just try some: the online form will tell you if it is not a valid password for their system.
On other sites the use of at least one of these characters may be a requirement.
Of course if you have more than a few passwords – and they are strong, random ones with extended characters – how do you remember them? More about that below.
How do you get a really random password?
A lot of web users use the easy kind of passwords mentioned above. For them, if they would just tap randomly on their keyboard they would make a huge improvement in the strength of their passwords. They could easily come up with something like this: hao484HSs83l – much better than something like “alex23″.
Getting a really random password conveniently and correctly usually involves some software (for convenience) with/and a random number generator. Most password management software can produce strong random passwords for you on demand.
You can also find random password creators on websites. But don’t just use the first website you see that offers you this service. Some of those widgets might not produce truly random passwords.
There is free software that can be used to generate passwords, e.g. this one, Random Password Generator. This is just an example: I am not personally vouching for the quality of this software or the randomness of its passwords.
2. Do you use the same password for more than one account?
Every time we are required to supply a password we need to use a new and different password. For example, suppose you need a password for a bank account, an email account, an internet forum you visit, and maybe you use a password to log on to your own computer (you should). These should be four different passwords. Otherwise a hacker or identity thief only needs to discover one password and then try it out on some bank accounts, email accounts, web forums or anything else associated with your name.
I haven’t forgotten that other question: if you have a lot of different passwords – and they are strong, random ones – they might look like this: “3K$R ^Xy7x=’m/`33. Do you let your browser remember your passwords?
If it’s a password for something very important, such as your banking, SAY NO when your browser asks you if you would like it to remember your password or other log-on details.
I am not trying to criticise any browsers here, but there are two main points to consider:
A. Your browser has this feature mainly for convenience, not for security.
The people who make the browser, e.g. Internet Explorer or Mozilla Firefox, are giving you the option of using this feature for your convenience.
They will store your password in a secure way, but they are providing a feature for your convenience, not for maximum online security.
The browser’s password storage is made to be difficult to hack and it is probably not worth the trouble to most hackers – since there are easier pickings for them. But still, if it’s a question of protecting all the money in your bank accounts, don’t rely on a feature that is provided just for convenience.
B. If your computer is unattended…
There is another problem with letting your browser automatically log you onto sites such as your bank. If you step away from your computer, then anybody who can access your computer can also access any of those sites with YOUR identity.
In order to log into websites, banks, forums etc. some people are very, very careful about entering user names and passwords into the form fields. Some people, very security conscious and in defence against keyloggers, never actually type their password. They copy and paste it instead.
Even so, they still don’t feel entirely safe: they know that any hacker in a position to capture their keystrokes might also be able to capture their clipboard as well.
I noticed that KeePassX will clear the clipboard a few seconds after pasting a password. Very wise.
(Of course if somebody has installed a keylogger or clipboard capture tool on your computer you have been hacked: you have some serious security problems beyond the issue of passwords. )
Now that other question, about remembering a lot of passwords: where are we now?
We have a lot of different passwords…
They are strong, random ones…
And it’s not safe to just let our browser remember them…
And it’s not safe to keep a note of them…
So how do we remember them all? More about that just below.
4. Do you store your passwords in an unsafe place?
This is where people can make a bad mistake, exposing themselves to identity theft.
I recently saw an article about this topic that had some very bad advice. It suggested that you should “make a note” of your user names and passwords, perhaps in an Excel spreadsheet, for example.
Anybody with access to your computer could get that spreadsheet and discover all your passwords. (Unless it is somehow secured, e.g. encrypted, hidden, password protected etc. – but the article did not mention that.)
Luckily, we do not need to rely on advice like that.
There is a lot of software available that is designed specifically to store passwords very securely. Also, this kind of software will, on demand, securely place the passwords into forms on websites. So they offer the same convenience that you would get if you allowed your browser to remember the passwords. But with dedicated password software you get more security. Because the people providing software like this are security specialists.
Free Password Utilities
As usual, there is free help available with computer security.
For example, KeePass is a ‘Password Safe’ that stores your passwords with strong security. It is free to download and use. Just search for KeePass or check out a cross-platform version, KeePassX. This works on Windows, Linux and Mac. You can use the same password file at home and work and school etc. even if theose locations use different operating systems – very convenient.
Another one is the aptly named PasswordSafe. You can read about it at the PasswordSafe site.
PasswordSafe is a service that stores your information online. So it too available for any operating system, Windows, Mac and Linux.
People need to decide for themselves whether this kind of remote storage of passwords is a good security measure for them. On one hand, you need to trust that the PasswordSafe people will store them securely. On the other, there is a security benefit because if you lost all your computers (e.g. in a house fire) you would still have all your passwords.
The providers do not recommend using it for your most sensitive online activities (e.g. your bank account log-in). This is understandable since their service is free. They don’t want to expose themselves to the legal problems that could eventuate if somebody claimed that thieves got access to their banking passwords.
There is also the popular RoboForm. Last time I looked I saw they claimed 18 million users. The application is available in a number of languages. With the free version you can store up to 20 passwords.
Another free solution:
Use your own VERY hard-to-access documents to store your passwords.
(This is what has worked for me, and is no-cost: but don’t take it as top quality security advice.)
For a long time I felt mostly safe noting my passwords in password-protected OpenOffice documents on a Linux computer. These are just word-processing documents. But OpenOffice documents are stored as compressed XML, so even if somebody stole a document from my computer they would have a hard time trying to discover what it really contains (without the password). Also, it’s on Linux, which is something of a security solution in itself.
By the way: we would not keep our banking details in a document like that. A few essential PIN numbers and details should just be memorised, not written or stored anywhere.
This became inconvenient eventually. I started using KeyPassX. Very easy and convenient.
We don’t want it to seem that you have to be a security expert just to log on to your favourite sites or use a forum.
The point is that many web users can make a big security improvement just by doing two simple things:
1. Using stronger passwords
2. Keeping them in a safe place.
If you have too many passwords to remember, and you need to record them, then keep them in a very safe place. You can use your own methods or some of the free or commercial software especially designed for the purpose.