Post from Jean Thilmany:
Am I the only one ensconced in password hell? How are we supposed to keep track of the millions of user IDs and passwords required in this world?
Like everyone else, I have my email accounts, my work-related sites, one of my kid’s school accounts—including one for school hot-lunches that I only refill about twice a year. In fact, the worst sites in terms of remembering passwords are those I only visit a few times a year and those that prompt me to create a password I don’t normally rely on. “Quick: Come up with a memorable password of sixteen characters, three of them upper case, three of them lower case and at least two of them numbers. Then spit it back a year from now.”
Financial sites like banks and brokerages—and others rife with personal information such as health insurance accounts—usually ask me to create these types of passwords, plus they prompt me with several qualifying questions. So this means that when I phone in to customer service, my inability to remember the town in which I was born makes me ipso facto sound like a thief. So by “color of my first car” did they mean the first one I bought myself, or the bright-orange Volkswagen Rabbit my dad bought for my sister and me when I turned 16?
I’ve always been afraid of writing down my passwords (though secretly I wanted to).
But now, Dave Chronister tells me I can do just that. As managing partner at Parameter Security, a firm of certified ethical hackers in St. Peters, Mo., he’s an expert who should know. He and another expert have given me a few other password tips I want to pass along.
Don’t write the thing down and tape it to a computer or leave it bolded in the address book on your desk next to your computer, he said. Instead, write down your passwords and seal them in an envelope in an area away from your computer.
That way, if you really need a password, even a few years down the road, you’ll know where to find it. And thieves likely won’t find the envelope and put it together with computer use.
But what are the chances of me finding where I hid the envelope, if I need it in two years’ time?
And about those question prompts, Steve Santorelli, a former Scotland Yard detective who is now director of global outreach at Team Cymru, an Internet Security research company in Lake Mary, Fla., has good advice.
“Sarah Palin’s account got hacked because the hackers could guess the answers to all of her secret questions,” he said. He advises users to register answers that don’t directly pertain to the question but that they can easily remember, such as their first phone number, a phrase, or string of numbers that means something to the user but isn’t easily guessable to the outsider.
So now I just have to remember whether I paired my first phone number to the prompt question about first car color or first-grade teacher’s name.
But here’s some good advice from Chronister that I can get behind: When it comes to choosing a password, consider a sentence, he said. After all, a “pass phrase”—rather than a password—of up to 16 characters would require intense computing power to guess and would contain a space, a nonletter or number tab little considered by hackers. A sentence can be easy to remember and can be long enough—including special characters—that hacking software and hackers themselves can’t easily discover it.
This sentence will by my password. Or will it?