Internet Tips: Can You Pass the PC World Password Safety Test?

Life online means living with--and trying to remember--passwords. Lots of them. Your Internet, e-mail, and instant messaging accounts require you to enter a user name and a password. So do secure online bank, credit card, mutual fund, and shopping Web sites. Meanwhile, less-sensitive sites such as those of Consumer Reports and the New York Times may require a lower level of log-in security.

Faced with retaining so many user names and passwords, most of us take the easy way out: We pick one memorable pair of terms and use them everywhere: Our dog's name, our kid's birthday, our favorite Star Trek character. Maybe if we are feeling really tricky, we move our hands one key to the right and type "password" (that produces "[sddeptf").

I'm sorry to be the bearer of bad tidings, but the password stealers are on to us.

If your password is "abc123", "iluvjlo", or "OU812", you might as well not have one at all. If it consists of names or any words that can be found in a dictionary (English or otherwise), fuhgeddaboudit. A knowledgeable person equipped with the right tools and your user name could deduce your weak password and gain access to your Internet account, e-mail, or bank account in no time.

Using the same weak password at multiple sites or servers compounds the likelihood that someone will take control of your accounts. Even if the password you use for your ISP account is fairly strong, using the same password at various sites reduces your security. The people who manage a site or otherwise are privy to your data in one place undoubtedly have access to the password, and they may be able to figure out where to use it based on your e-mail or IP address (which they also probably have). Moreover, the user names and passwords that you use to access Web pages or to enter your e-mail may travel over the Internet in the form of unencrypted plain text, so devious folk can grab your password and give it a try elsewhere.

There's Safety in Numbers

Follow these three commonsense rules to ensure the safety of your passwords and the data they protect.

Choose strong passwords: These consist of six to eight completely random alphanumeric characters. Weak passwords contain easily guessed number sequences, or names or words that can be found in a dictionary, even if the dictionary is Latvian. Mixing upper- and lowercase may or may not matter, depending on the system that accepts the password, but you should always combine letters, numbers, and punctuation. For example, "scott123" is a weak password. And except for the fact that it now has been published in PC World, "8hT$2@N8" is a strong one.

Since coming up with a truly random password is difficult for humans, you may want to use a tool--such as the Info Tech Professional Random Password Generator--that can create such passwords for you.

Store passwords securely: Since you can't possibly remember dozens of unique, gibberish passwords, you need to record them and store them somewhere safe. The first thing to recognize is that there is no truly safe location to store passwords: The most convenient place won't be the most secure, and the most secure methods won't be terribly convenient.

Writing passwords on a piece of paper that you file away somewhere or stick into a book will work okay as long as no one else is likely to open the book--and you don't forget which book it's in. Storing passwords in a file on your PC may be more convenient, but not if the hard disk dies. To prepare for that contingency, print out a paper copy and store it in a safe, a locked cabinet, or a safety deposit box, or in an innocuous book that nobody is likely to browse through, such as Do-It-Yourself Brain Surgery: A Narrative or Scranton on $50 a Day.

If you sell your computer or replace its hard disk, you'll need to delete the password file, and then use a file-wipe utility to permanently erase the drive so that the new owner can't restore your password file. The June Answer Line gives instructions on wiping a hard drive.

Encrypt and password-protect the file you save your passwords in. You can password-protect Word 2002 and Excel 2002 files using a fairly strong 128-bit encryption key. Choose Tools, Options, Security in either program to enter the password, and click Advanced to select the encryption strength. Obviously, choose a strong password that you'll remember.

If you don't use Word 2002 or Excel 2002, or if you aren't convinced that these programs are secure enough, download Counterpane Labs' free Password Safe utility. In addition to using Counterpane's bulletproof Blowfish encryption to encrypt the company's user name and password database, Password Safe includes a handy password generator (see FIGURE 1

FIGURE 1: Create and store passwords using the Password Safe freeware program.
) that lets you copy user names and passwords to the Windows Clipboard with a single click. When you close Password Safe, the program clears passwords from the Clipboard.

Use passwords safely: One major stumbling block in password security is the innate human inability to keep a secret. Once you have created a password, reveal it to no one. Your ISP, your bank, and no one else should ever need you to tell them your password, whether by phone, via e-mail, or in person (your company's IT support person, however, is another story). Don't share your password with coworkers, and don't write it on a note that you leave in your desk drawer. Don't let others "shoulder-surf" you by observing you as you log in to a network or secure Web page. And for maximum peace of mind, keep your personal passwords off your office PC.

If you suspect that one of your passwords has been compromised, simply use the Web site's password-management options to change it. Practically every online site or service that relies on passwords allows you to enter your account and select a new one instantly.

Shop ▾
arrow up Amazon Shop buttons are programmatically attached to all reviews, regardless of products' final review scores. Our parent company, IDG, receives advertisement revenue for shopping activity generated by the links. Because the buttons are attached programmatically, they should not be interpreted as editorial endorsements.

Subscribe to the Security Watch Newsletter