Importance of Changing Your Passwords..
In the past month, I've received notices from 2 different agencies that my password may have been compromised. Since I have been lazy, I may have used that same password on a few different web sites. Now is the time, for me, to start seriously fixing this.
Develop a new password. A password needs to be both memorable (aka don't need to write it down) and complex. This means that you need to combine a (at least 8) variety of elements into your password, including upper and lower case letters, numbers and symbols. Too hard?? No, not really. Start with a sentence that relates to the use, then use a sort of letter to symbol 'license plate' logic.
So, let's use:
By replacing characters and mixing in symbols, I'd probably change that to:
I find a nice rhythm in my passwords, when I start with a upper-case or a symbol character, then alternate back and forth between upper and lower. SHIFT+1,L v SHIFT P,2 ... I have a hard time remembering passwords when it flips 'wrong' or uses symbols not from the top row (i.e. ;: >< ). Took me several days to remember "2Ba*!E8>^". Often those password keeper/generating tools create passwords that I can only remember if I use the tool.
Speaking of Password keepers, yes, I use one. My personal favorite is PWSafe. It's a free, open-source application that securely keeps logons and passwords for websites that you regularly visit. Inside this tool, is the option to generate passwords that meet your prerequisites. I use this often with sites like my work passwords (like vendor's support site), so that they don't match my personal passwords.
Once you've put all your passwords into a safe place, back the file up! I once configured the password keeper app on my cell phone. It was great because I always had my phone with me, so my passwords were in my pockets. One day, I reset my phone not realizing I'd losing all my data, including those passwords. Luckily, they were still fresh in my memory, so nothing painful.
Password change frequency. Define what you feel safe with. My employer's IT department enforces a 90 day password change policy on my logon ID. If you have someone shoulder surf your password while at your desk, 90 days is 'just' long enough that you'll probably be changing it soon after it happens. 30 days would probably be better, but then our help desk is resetting a lot of forgotten passwords. This account is not that visible and my only worries are fellow employees. Hopefully, corporate HR Policy (should) deters them from using my account for bad.
My bank account password should change monthly. It's openly visible to the Internet and IMHO responsible for a much more than my work PC. This is where I'd use PWSafe to generate a complex 15 character password that combined everything under the sun. OK, my wife may hate having to use PWSafe at first, but it would definitely be better than no summer vacation fund.
Blizzard password? I'd put it on the 6 month change cycle, especially if you have an authenticator (who doesn't?). I only play the game at home; so no one to shoulder surf my password (kids are too young, wife doesn't care). My only concern would be if some how my password is captured via a malicious process on my PC (keyboard tracker, etc.) and posted to the Internet. Get enough people trying to hack my authenticator, it will eventually happen.
This Blog's password? Evidently I need to change it more often than before. Google notified me that someone in another country (Netherlands) attempted to logon my account. I believe Google actually denied them, but then locked my account until I changed my password.
Don't be green with password recycling. I know it's tempting, but try to avoid reusing the same password over and over again. Spreading a single password thin across several accounts could open you up for some serious issues later on. Especially if those passwords are similar, like your bank and credit card company both the same "UG0tMy$$?" Now with an intercepted copy of your credit report, someone could potentally have access to both accounts.
Passwords are critically important in this digital age we live in. Make sure your accounts are secure by making memorable, but complex password. Building that password from a familiar sentence, then applying a basic replacement 'formula' will help you remember it. Change it often to prevent hackers from taking advantage. If you can't remember your password, or you're worried you may forget it, post it into a secure, encrypted password keeper (and back up that file to another location). Most importantly, don't recycle the password of your battle.net id and the email account tied to it.
So, let's use:
I LOVE PANDA MONKS
By replacing characters and mixing in symbols, I'd probably change that to:
!LvP@ndaM1ks or
!LuVP&aM1ks
!LuVP&aM1ks
I find a nice rhythm in my passwords, when I start with a upper-case or a symbol character, then alternate back and forth between upper and lower. SHIFT+1,L v SHIFT P,2 ... I have a hard time remembering passwords when it flips 'wrong' or uses symbols not from the top row (i.e. ;: >< ). Took me several days to remember "2Ba*!E8>^". Often those password keeper/generating tools create passwords that I can only remember if I use the tool.
Once you've put all your passwords into a safe place, back the file up! I once configured the password keeper app on my cell phone. It was great because I always had my phone with me, so my passwords were in my pockets. One day, I reset my phone not realizing I'd losing all my data, including those passwords. Luckily, they were still fresh in my memory, so nothing painful.
Password change frequency. Define what you feel safe with. My employer's IT department enforces a 90 day password change policy on my logon ID. If you have someone shoulder surf your password while at your desk, 90 days is 'just' long enough that you'll probably be changing it soon after it happens. 30 days would probably be better, but then our help desk is resetting a lot of forgotten passwords. This account is not that visible and my only worries are fellow employees. Hopefully, corporate HR Policy (should) deters them from using my account for bad.
My bank account password should change monthly. It's openly visible to the Internet and IMHO responsible for a much more than my work PC. This is where I'd use PWSafe to generate a complex 15 character password that combined everything under the sun. OK, my wife may hate having to use PWSafe at first, but it would definitely be better than no summer vacation fund.
Blizzard password? I'd put it on the 6 month change cycle, especially if you have an authenticator (who doesn't?). I only play the game at home; so no one to shoulder surf my password (kids are too young, wife doesn't care). My only concern would be if some how my password is captured via a malicious process on my PC (keyboard tracker, etc.) and posted to the Internet. Get enough people trying to hack my authenticator, it will eventually happen.
This Blog's password? Evidently I need to change it more often than before. Google notified me that someone in another country (Netherlands) attempted to logon my account. I believe Google actually denied them, but then locked my account until I changed my password.Don't be green with password recycling. I know it's tempting, but try to avoid reusing the same password over and over again. Spreading a single password thin across several accounts could open you up for some serious issues later on. Especially if those passwords are similar, like your bank and credit card company both the same "UG0tMy$$?" Now with an intercepted copy of your credit report, someone could potentally have access to both accounts.
Passwords are critically important in this digital age we live in. Make sure your accounts are secure by making memorable, but complex password. Building that password from a familiar sentence, then applying a basic replacement 'formula' will help you remember it. Change it often to prevent hackers from taking advantage. If you can't remember your password, or you're worried you may forget it, post it into a secure, encrypted password keeper (and back up that file to another location). Most importantly, don't recycle the password of your battle.net id and the email account tied to it.
Hey Elk,
ReplyDeleteGood suggestions. Believe it or not with my work computer I have 16 different logins & passwords and even a Secure ID Keyfob! Bah!
Now that I'm blogging add in gmail, Worpress, Gravatar and Twitter add 8 more to that ever growing list :( *Sighs*