In this day of widely publicized panic about online security, it’s time we revisited the basics of password security. I’m sure that none of you reading this would ever have a less-than-ironclad routine for all your online activities:
- Never ever use the same password on multiple sites. Once they’ve grabbed for login for the MyLittlePony site, they’re into your bank account . . . or worse, your MyLittlePonyDoesDallas account.
- Always use the maximum number of characters allowed . . . I know it’s a pain when a site allows 1024 characters, but your online security is paramount. I believe most health insurance now covers carpal tunnel treatment, so you’re golden.
- Never include any word — in any human language — embedded within your password: this includes all the words in the Scrabble® dictionary for every known language. Can’t assume that the black hats speak English, y’know.
- Always use both capital and lower-case letters and include at least a single digit and a non-letter character in every password.
- Change your password regularly. Daily, if necessary. Even hourly if you share a computer with others.
- Never, ever write your password down. That’s the first thing they’ll look for when they break down your door and trash your crib.
- Never, ever re-use a password. Don’t pretend you haven’t done this one. We all used to do it, until site admins started checking that you hadn’t re-used an old password.
Note: Don’t try to be clever and use 1337speak. The folks trying to crack your password all post on 4chan: you’re giving them a head-start. They dream in 1337.
Of course, even the professionals don’t do all of this. Some of ’em don’t do any of it. Do like the pros do: set all your passwords to “passw0rd”. Nobody ever guesses that.
For actual password advice that might be helpful, you can try this post on the Gmail Blog.
I have to disagree, this is one area where security nerds over-engineer themselves. It’s perfectly okay to use the same password across multiple sites so long as you’re smart about it. I generally break it down like this:
High Importance sites (bank/insurance/financials, primary/secondary/tertiary email): unique logins and passwords for each.
Medium Importance sites (vendor/retailer sites): common login/pass only between these sites, for contact point use secondary email
Low Importance sites (forums, spam catch-all): common login/pass for these sites only (different from medium level), for contact point use tertiary email.
I don’t care if the Medium or Low accounts get lost or nuked. It is not going to ruin my day financially. The high-importance stuff, protect with unique logins; the rest that isn’t critical, don’t bother. Not worth expending the effort on.
Comment by Chris Taylor — October 10, 2009 @ 13:27