Monday, March 04, 2013

Keeping a track of passwords

Well, with so many accounts many wonder that how and where to store all the passwords and how to prevent people getting access to those.
  • Never store your passwords in notebooks, textbooks or paper. It can be read by anybody. Prefer storing it digitally on computers.

How to keep a track of digital passwords

  • There are programs you can buy, if you're willing to put your trust in them. I use an Excel spreadsheet, but I encrypt it with its own password - a rather complex one. I am well aware that if the file gets compromised, all my services go with it.
  • Never name that Excel/Word file as "Passwords". Rather name it something generic and boring.
  • Ideally you'll have a system for creating and remembering passwords without needing the spreadsheet. For example, you might have a string that's constant, such as "?t7q1b9f8j2o0t0l1d!" (the acronym for "the quick brown fox jumps over the lazy dog" with my area code and ZIP code reversed and a few special characters put in). To vary it, you could add the first two letters of the website you are using to the front and the next four to the end. Or put the consonants in front and the vowels at the end, with every other letter capitalized and the letter O replaced with the number zero. So for Amazon, it would be "mZn?t7q1b9f8j2o0t0l1d!Aa0." Just try to guess that!


  • Many sites let you reset your password by answering a security question, such as the name of your pet or the name of your high school. Of course, these violate good password practices by requiring you to use something that can be easily looked up. Others ask for your favorite movie or hobby. That might not be easily looked up, but your tastes change over time. Furthermore, because these questions get repeated from site to site, the answers you use violate the rule against repeating passwords.
  • There are services often send an email when a password gets reset this way, so be sure the address on file is current. Change your password and security questions immediately if you're notified of a reset you didn't initiate. You might want to contact the service as well.
While you're at it, make your username complex, too, if you're allowed to choose one. Banking sites typically do.


Some services such as Gmail even give you the option of using two passwords when you use a particular computer or device for the first time. If you have that feature turned on, the service will send a text message with a six-digit code to your phone when you try to use Gmail from an unrecognized device. You'd need to enter that for access, and then that code expires. It's optional, and it's a pain - but it could save you from grief later on. Hackers wouldn't be able to access the account without possessing your phone. Turn it on by going to the account's security settings.

Always think of these measures as layers of defense. If one gets breached, there's another to back you up. But eventually, the intruders will get through. Slow them down by making each layer as strong as possible.

No comments:

Post a Comment