Following on from last week’s recommendations from Matt Pasucci on how to protect your privacy in the digital world, I’d like to add my own tips on user name and password management.
20 years ago we were all told never to write down your passwords. Today, I think this advice is obsolete. It addresses the wrong risk – the ‘old school’ crimes where you’re mugged on the street for your credit card pin, or the cleaner steals the post-it note with all your passwords that you’ve stuck to the side of your computer. In fact, this advice is more damaging than useful, and it’s a thing of a past.
I say you should write down your passwords!
Cyber criminals don’t mug you at the ATM, they hack into the corporate systems that store your personal and financial details. While companies must do everything they can to secure their users’ details, you also need to do your bit to protect yourself.
The likelihood is that you have hundreds of different accounts—bank accounts, emails, online magazines and blogs, shopping sites, kids school, airline mileage accounts etc. So the chances are that you re-use user names and passwords for all these site – which completely defeats the purpose. If a cyber-criminal gets hold of your user name and password from one account, he could use it to access all your accounts, not just the one that was hacked.
Tip #1: Use different passwords for every single one of your accounts.
This unfortunately means you’re going to very quickly end up with hundreds of passwords. So the solution is to write them down (just not on a piece of paper).
Tip #2: Keep them secure on your smartphone.
Use a password manager application. There are some very good ones that run on iOS, and Android. Just don’t forget to install remote wipe/disable software on your phone in case it gets stolen. Then, if your Target account is hacked you only need to change that account, not hundreds of accounts.
Tip #3: Categorize your passwords.
Accounts are not equal in value. Clearly your bank account is far more important than an online magazine. So categorize your accounts by their importance and how much of your personal and financial information each account collects and stores. Then create passwords based on the accounts’ importance. If it’s of little importance, give it a simple password. Who cares if the eastern European hackers can access your New York Times account – let them enjoy it! But you obviously want to give accounts that store your personal and financial information a complex password that will be hard to crack.
Gripe: I do have a bone to pick with sites that force me to change passwords regularly. It’s a bad idea! If I spend the time and effort to come up with a strong password, something that will not be easy to guess, it’s also likely not easy for me to remember, so don’t force me to change it!
Tip #4 (for site administrators): Instead of forcing me to change my password periodically, run it against an automated password cracker. If the cracker can crack it, then force me to change it, but if the cracker can’t, leave me alone!
So now, go and write down those passwords!
Receive notifications of new posts by email.