Good Passwords and Internet Security
Almost nobody in business has had formal training in security or passwords. The only thing you’ve had is crazy IT admins yelling at you, or frustration with password setup processes that don’t seem to make sense.
So let’s get back to the fundamentals. There are three components to authentication:
1. Who you are. Typically corporate networks use your email as your login username.
2. What you know. This is information kept only in your brain, such as a password or a PIN.
3. What you have. This is a tangible thing in your possession. Your debit card is an example of the second and third components: you have a debit card and you know your PIN. With those two, you can take out money.
Here’s the problem: most Web services use only the first two factors of authentication. (There are third-factor devices such as USB dongles and secure ID keyfobs, but these are in limited use.)
The first is not very secure– the username, usually your email, is public. So really, you only have one-factor authentication, consisting of your password. It’s crucial that you not screw that up. Avoid doing so and you will eliminate most likelihood of being hacked, but not all of it. Even a WIRED editor got hacked through social engineering–calling Apple and tricking them into giving out his password– (see wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/.
The other big problem with password security is people don’t practice compartmentalization. Let’s say pets.com gets hacked and the bad guys get your Yahoo! email address and password. They immediately go to Yahoo! mail and try to log in using that password. They succeed because you didn’t compartmentalize– you used the same password for both pets.com and your email account. Now they can log in and quickly change your email password, locking you out. With control of your email account, they move on to your banking and credit card accounts. Game over.
So, compartmentalize– use different passwords for different accounts.
The final important thing about passwords is to make them long and use wacky characters. Use upper and lower case, and use symbols such as &, ! # and *. Also, a length less than twelve characters makes it too easy for brute-strength password-guessing bots to succeed, so make them long.
Here are some password examples:
| Bad Password: | Not-so-Bad Password: | Good Password: |
| kitty | 1Kitty | 1Ki77y2013&& |
| susan | Susan53 | ….Susan53…. |
| jellyfish | jelly22fish | JJ33llyy22FFiisshh |
| smellycat | sm3llycat | $$mm33llyycat |
| jackbauer | jAckBauer | %%JACK%%Bauer |
| doctorhouse | Doct0rH0use | .Doct0rH0use. |
| ieatcarrots | IeatCarrots | I34tcarr0ts: |
And how will you remember them? Best way is to write them on a piece of paper and keep them safe at home. There are also password-keeping programs that will encrypt your password list, and then you’ll only need to remember one password.
