Keep Your Friends Close, but Your Passwords Closer

As Peter touched on when relating his story about the Gawker password database compromise (in addition to numerous other mentions on this blog), maintaining secure passwords for all of your various online identities is not something to take lightly.  In addition to secure passwords, you should also use passwords unique to each site you are visiting.  You may not care if someone compromises the account you use to comment on Gizmodo, but if you also use that password for e-mail, banking, Facebook, or other sites you may value, you leave yourself open to a painful security breach.

In a perfect world, websites would just use OpenID or other roaming credential, so that everyone would only have one secure password to manage, and we wouldn’t have to rely on bad home-grown authentication management from each web site.  However, this isn’t likely to happen anytime soon.  In the meantime, here are a few tips on password security that should help keep your accounts a little bit safer:

1) Do not use words, phrases, dates, or numbers that are of any significance to you, such as birthdays, your home address, or pets’ names.  (I think the law requires every password article to include this tip.)

2) Use mixtures of upper case, lower case, numbers, and special characters.  The longer, the better.  (This one, too)

3) If you can’t remember your passwords, don’t write them down – use a password management tool that you can store on a USB token to take with you on the go.  Make sure it’s a secure tool that uses high quality encryption.  (Readers and SM Bloggers, any products you’d recommend?)

4) Never re-use passwords for multiple locations.  If you absolutely, positively refuse to use completely unique passwords for each site, consider appending your password with something you can easily remember about the site.  For example, if you want to use Password123 for several low priority sites, instead use Password123papajohns.com, Password123gawker.com, etc.  This isn’t truly secure, as the pattern is easily figured out by a human looking at it, but it should at least stop automated scripts from successfully using a compromised password elsewhere.

5) Beware the password reset “security questions”!  Things like your mother’s maiden name, the street you grew up on, pet’s names, etc, are trivial to figure out, especially if you like filling out “which vegetable are you?”-type questionnaires on Facebook.  You don’t actually have to answer the security question with an answer that makes sense – for a question such as “What is your mother’s maiden name?”, the system will not care if you say “pamplemousse”…just make sure you can remember the answer as well!

Anyone have any other password tips to share?