 Number 267 - August 2005 |
|
| Simple Password Practices Keep PC and Online Data Secure | |
| from AARP | |
|
Password dilemma: We can't live an online life without them, but if they're too numerous to remember, they encourage unsafe practices. What do do? First, basics. A password is just the key that opens a computer lock. It may gain access to a newspaper's online edition, protect banking records, let you bid on auctions, open a frequent-flyer account, or do anything requiring verified identity. Some Web sites assign passwords; most allow choosing them. Rules for selecting passwords are easy to find but are often impractical. Don't use easily guessed familiar names or words; use letters and numbers and special characters? OK. Avoid anything related to facts about yourself? Makes sense. Don't share passwords with anyone? Good advice. Change passwords periodically? Oops, it's a memory test www.evalu8.org/staticpage?page=review&siteid= 8906. Use unique passwords everywhere? Hm, that takes a *lot* of passwords. Don't write them down or store them in a computer file? Tilt! Maintaining passwords is a nuisance. So some people use one password for everything -- a bad idea, since sharing or compromising one access opens them all. Password hierarchies are common: use one password for financial matters, another for commerce, and one for trivials such as newspaper sites. That avoids revealing your sensitive e-mail/password combination to junk Web sites. But don't use a common password for all e-commerce sites (amazon.com, buy.com, etc.) since they're occasionally hacked. And treat sites like PayPal as financial rather than e-commerce. And don't just guess which password you used on a site; some sites lock accounts after just a few failed logins. As passwords proliferate, it's common to store them in a computer file. And having too many site-assigned passwords guarantees the need to record them. But please, don't call the file "passwords.txt" and don't use the word "password" in it. The paranoid and geeky encrypt such files, but that risks losing the file by forgetting the encryption key. You can print and save registration pages, but that leads to bulky files, cumbersome to search and requiring updating. Some people use an address book or print lists of sites and accounts, then handwrite passwords. But that still needs updating, and can be lost, destroyed, or found by someone untrustworthy. If you have multiple email addresses, note which you use on a given site, since that's often the key for logging in or receiving password reminders. Hackers use special software to attack logins, applying dictionary word lists and other guessing techniques. Passwords are described as "strong" (hard to crack) if they have at least eight characters, include upper/lower case and punctuation characters and at least one digit. So even if you use a memory aid for remembering passwords -- such as words from a poem -- convert them to strong passwords in a way that only you will know. |
High-tech devices can add security, but they're usually used only in business settings; they include biometric devices which check fingerprints or eye structure and random logon-key generators. Software password managers are more practical. These record and secure passwords and then auto-fill online logins. Good ones offer a "don't remember/don't ask" option to avoid recording info about sensitive sites. Encryption is desirable but not mandatory; it should be possible to secure the password manager itself with a master password. Many managers are free, some are bought, and common software such as Web browsers and e-mail clients often includes it. Google returns many hits related to "password manager" and classy software site Tucows Many people don't secure home computers -- but consider cleaners, workers, friends wandering through, perhaps even having permission to use the computer. Suddenly security becomes more appealing. If you handle money online, check banking/financial sites occasionally for unauthorized transactions. Remember that you may occasionally need access to secure sites while away from your computer. You can copy passwords to a thumbdrive or PDA or simply print them, but remember that they're powerful keys and must be protected. Before traveling, check your passwords so you're not surprised on the road. If you leave your computer running, you can access it remotely via tools such as GoToMyPC. On business-owned PCs, separate personal from work-related material. Determine whether your office has policies for personal computer use and monitoring of computer activity. Some businesses install keystroke loggers which can capture passwords before they're encrypted. And remember that system administrators can often defeat security measures as part of their job, so you may not want to store sensitive personal material at work. Work and home PCs both need disaster preparation, so family members or colleagues can access what's needed in an emergency. Work-related passwords and instructions can be stored securely so they're available but can't be secretly used. For home computers and facilities such as e-mail and finance, remember that many ISPs and companies have privacy policies prohibiting revealing information to family members, even in cases of illness or death. Instructions and important passwords should be stored with essential family records. Note that changing situations may require special care -- for example, a divorce might motivate tight security. AARP does not recommend or endorse any of these products or web sites. Please be advised that there are other similar products and web sites available which were not reviewed and are not listed here. Copyright 1995-2005, AARP All rights reserved. |
|
Number 267 - August 2005
|
|