Password Security

Given the massive security breach of the Gawker network of websites this weekend, it is a good opportunity to review password security. Users tend to accrue many accounts across a variety of services and sites as they use the internet. You might have one username and password for your web-based e-mail (HotMail, Yahoo, GMail, etc.) and another for your online shopping (Amazon, eBay, Red Envelope, etc.). You could also have accounts for your online banking and credit accounts. Add to those the social services you use (Twitter, Facebook, MySpace, FourSquare, etc.) and you can have more accounts than you know what to do with. The easy thing to do is to give up trying to remember different usernames and passwords across all of these sites and use the same one every time. This is very, very dangerous behavior, and I encourage everyone to move towards better online account security.

First, a brief discussion of why this behavior is dangerous. Let's say your name is Janet Weiss and your e-mail address is janetweiss@hotmail.com. For all of the sites you visit you use the username: janetweiss@hotmail.com. On every site you use the same password: 10041946 (your birthday). You use this same account information on every site you use on the internet: everything from your bank's website to the local message board for movie enthusiasts. Let's say that the folks running that message board aren't entirely on the up-and-up, and rather than hashing your password like they are supposed to, they store it in clear text in their database of users. One of the folks with access to this database, let's call him Floyd, can't resist the temptation and prints off a list of usernames and passwords, including yours. Floyd spots your username is your e-mail address, and tries logging into your account with the same password you used on the message board. Success, Floyd is now into your mailbox! Here, Floyd does a quick search to see what other accounts you might have. He turns up old mail that tells him all about the places you do your banking, shopping, and other online activities. He tries that same username and password at your bank and he's in! He quickly sets up a few major transfers between your bank account and anonymous accounts he has set up for himself. He regularly checks your mail and deletes any notifications you get about the transfer. A few days later, once the transfer is complete, Floyd is walking around with a pocketful of your savings.

Ouch! So what can you do to protect yourself from this sort of thing? The obvious answer is to not use the same password on all of your accounts. This can seem like a daunting task, especially if you enjoy using many services on the web. How are you supposed to remember all of those usernames and passwords?

As a first step, I recommend picking two or three passwords that you can remember. Make one a really difficult password, like a jumble of numbers, letters, and symbols that has no meaning to you. This is your 'high security' password. Only use this password on sites that you absolutely trust, and that protect your most important information, such as your bank. Be sure that if you are using this password that the site you are entering it on is using an SSL Certification (an easy way to check is to verify the web address starts with https:// not http://). Your browser might also put a lock symbol next to the URL. Your other password(s) is your insecure password. Use this on sites that you don't necessarily trust, but need an account to access. Using this password is a reminder that anything you enter on the site is probably insecure, so act accordingly. Also, assume that every place you use this password, someone else is going to figure it out and get access to the account. Never, under any circumstance, enter your critical account information (such as bank account or credit card number) on a site that does not use a security certificate (https).

Better, but still not a great feeling, right? If someone manages to figure out that 'high security' password, they will still have access to *all* of your sensitive accounts. The next step is to use different passwords on every service you use. That can be really intimidating if you use a lot of services. Fortunately, there are some tools available to help you. First, find a password manager you like, and start using it. I use KeePass, and I highly recommend it. KeePass allows you to save a username and password for all of the different sites and services you use. The information is stored in a secure, encrypted file. You can only open this file by entering a password. Pick a really strong password for this file, as it protects all of your other account information. KeePass will also generate strong passwords for you. Definitely take advantage of this feature. Once you start using KeePass (or any other password manager) there really isn't any reason to remember your individual site passwords. Just pull up the password manager and copy the password for the service you want to use to the clipboard, then paste it on the login screen.

This works great from one computer, but what do you do when you move between several computers in a day? One solution is to store the encrypted password file on a site that you can access from anywhere. I recommend Dropbox. You can install Dropbox on as many computers (and your smartphones as well) as you like and get 2GB of storage for free. Dropbox will synchronize the files you store with it across all of these machines. That way, when you add a new password to your list at work, you still have access to it when you get home. KeePass and DropBox both have apps for Android and iPhone as well, so you can load it on your smartphone and carry your passwords with you anywhere. If you don't have a smartphone, consider purchasing a cheap USB memory stick and putting it on your keychain. You can install KeePass to the memory stick and save your password file there, allowing you to carry it with you wherever you go. That way, if you stop in an internet cafe or library, you can still have access to all of your passwords.

Online security can be confusing, and it is easy to make yourself vulnerable to attack. Taking the step of using a password manager and different passwords on every site you use is a big step towards limiting your risk when using the web.