by Larry Magid
This article was updated from one that appears on ConnectSafely.org after the Yahoo password breach on July 12, 2012
A strong and confidential password is essential, not just for financial sites, but for social networking sites too. With social networking sites like Facebook and Twitter, there’s the danger of people faking their way into the site and posting something embarrassing about you or others. They could use your account for hate speech or to bully or defame another person or put something on your site that jeopardizes your reputation or even your safety. Another risk is that they could use your online profile to assume your identity as part of a con, such as logging into a person’s Facebook account and using it to solicit money from his friends to a “friend” out of a tight spot.
Children and teens should be especially careful to never share their passwords, even with their best friends. It’s sometimes tempting for kids to give out their password to a friend so that the friend can update or check their profile for them, but it’s a bad idea. Friends have a way of becomng ex-friends and there is the danger that a friend might share the password or be careless with it.
Have strong passwords
One of the best ways to protect your online security is to have strong passwords that you change periodically. But that’s easier said than done. Coming up with hard-to-guess passwords is hard enough, but it’s even harder to have separate passwords for different sites and to remember new ones after you change them.
One way to create a password that’s hard to guess but easy to remember is to make up a phrase. You could type in the entire phrase (some sites let you use spaces, others don’t) or you can use the initials of each word in the phrase, for instance, “IgfLESi#85″ for “I graduated from Lincoln Elementary School in ’85″ with a # symbol to add more security. An even better one would be “Mn1bfihswE&S” for “My number 1 best friends in high school were Eric and Steve.” You get the idea–upper case numbers, letters, and symbols that are seemingly meaningless to everyone but you. Microsoft has an excellent primer on passwords and a password strength checker.
Don’t use the same password on all sites
But even if you do come up with a clever and hard-to-remember password, don’t use it for every site. Since lots of people do that, there’s the risk that a sleazy site operator–or a sleazy person who works for a legitimate site–could use it to break into your accounts on other sites. Or if hackers break into a site and grabs some passwords, they might try to use those passwords on other sites. One trick is to add a couple of unique characters for each site. For example for your Google accounts you could have Go somewhere in the password and perhaps Fk in your Facebook password.
Extra security for financial sites
You might want to consider having even stronger passwords for financial sites where there is a financial incentive for hackers to break in. Again, use numbers and symbols and letters that have no meaning to anyone but you.
Lots of people have weak passwords
You might be surprised at the passwords some people use. After a July, 2012 password breach at Yahoo, CNET’s Declan McCullagh wrote a program to analyze passwords and found 780 times where “password” was used as a password and 2,295 “times a sequential list of numbers was used, with “123456″ by far being the most popular password. There were several other instances where the numbers were reversed, or a few letters were added in a token effort to mix things up.”
One solution is to use a password manager. There are several available programs and Web storage services, but the ones I’m most familiar with are RoboForm and Lastpass. These programs can generate passwords for you and remember them so you don’t have to. Both programs are, themselves, password protected, though you have the option of running RoboForm without a password or having Lastpass remember its own password on your computer, tablet or smart phone. That’s OK as long as no one else has access to your machine. I recommend that you manually enter your master password on a laptop or mobile device that could more easily fall into the wrong hands.
On Firefox, Chrome and Internet Explorer, Lastpass records your usernames and passwords when you first enter password-protected sites and then enters them for you automatically for subsequent visits. Passwords are stored in a “vault,” which is actually a Web page stored on your PC, as well as the company’s servers, so you can access it from any device, including a borrowed machine. The password vault on your machine is automatically synchronized with the server, so you don’t have to worry about synchronizing or backing up your data.
For a lot more on this password management, see CNET News reporter Elinor Mills’ post, “Facing the pain of passwords.”
Also, see ConnectSafely.org’s “Tips to Create and Manage Strong Passwords”