Home » Safe Computing Tips » Safe Computing Practices

Be concerned about your passwords

Posted November 22nd, 2007 by Steve
You have probably heard this over and over again about creating strong passwords, avoid dictionary words, etc. And no doubt there is a lot of truth in these. I want to highlight a few other practices that should be noted, otherwise even a strong password can render ineffective.
  • Avoid using public computers for any kind of access where security is important

    You can say I'm paranoid about this, as a practice, I avoid accessing websites that demands high confidentiality (such as banks, brokerage, financial institutions, etc) from computers in public places such as the library, schools, colleges, wireless hotspots, etc. I give you two reasons for this.

    One - it is easy to leave behind traces of your account information in those public places computers, depending on the design of that web site. Such information could be left behind in the cache, in cookies, that can be extracted by any person with a little extra knowledge on how to do it. And public computers can easily be infected with keylogging programs and other vulnerabilities.

    Second reason - network traffic can be captured without too much effort by a knowledgeable person, and studied to extract useful account information. Especially true for unsecured network that do not use encryption. A network administrator may log incoming and outgoing Internet traffic, if he wants to. And the logs can reveal a lot of things about your activities, including your password.

  • Keep a good system of passwords

    Having to remember numerous passwords can be a pain sometimes. And for convenience, we often use the same password for every sites in town. Convenience almost always compromise security. I believe it is a good practice to have a number of password for the different website that you have accounts on. I would suggest that you rank all the sites under one of the following categories, low, medium or high security. And you choose a different password for each of these category. Example of low security category are sites like forum, games site, downloading sites, jobs sites, etc. The high security category would include your banking sites, financial institutions, eBay, Paypal, sites with highly confidential information about you.

    Why do I advocate such a practice? For a simple reason, if a password is compromised, it only affects one category. Say for example, someone managed to get hold of your password in the low security category, he may use it only in those sites of low importance. But what about if someone gets the password in the high security category? We'll look at that in the next practice - changing password regularly.

    It is really not difficult to compromise your password. Are you aware that some sites do not store your password in encrypted form but in plain text? That means anyone with access to that account database will be able to see all the passwords for everyone. Or a hacker into that system will be able to gather all the passwords for later exploitation. Now how can you tell if that website encrypts your password or not? There is a simple way to tell. Most website offers you the feature for "I forgot my password" situation. If you use this feature, note how the site handles the situation. If they resets your password and send you a new temporary password, then they have password encryption in place. If the site sends you your password in the email or display it for you on the screen, then I would be worried. This tells me that they do not employ password encryption on their system (or they have poor encryption method that allows reverse encryption. In which case it is as bad as storing in plain text). Which means your password can be easily compromised. If you use the same password for everything else, like your bank account, you are overly exposed.

  • Test whether password encryption is being employed
    I include this as a good practice because it is linked one way or another to keeping your password safe. If any website shows itself to be negligent on password encryption, you should be wary about them. That means never release private information about yourself to them, since you know that there would be a strong security in place to protect them. So whenever you sign up a new account with any site, be sure to try out their "I forgot my password" feature and be familiar with the type of procedures they use for such a situation. In particular, determine if they use password encryption techniques for passwords.

  • Regularly change your password
    I have to confess that this is one area I am not strong in. In work places, lots of company policies forces you to change your password periodically, ranging from every month to every 6 months. I personally never learn to like this even though I know the importance of it. Coming up with new passwords regularly may not be a easy task for some. We get attached to our password after a while. So perhaps a suggestion would be to have a set of passwords that you recycle periodically. Say the first 3 months I use password A, and then next 3 months password B, and then password C and so forth and then epeat the cycle. That might make regular password change more acceptable.

‹ Safe Computing PracticesupProtect Your Laptop ›

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
1 + 0 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.