Safety Tips: Password Management

My sister did a really stupid thing a couple days ago. She signed up for a photo-sharing site because she was sent an invite by someone she knew, and she gave the site her email address and password as part of the sign-up process.

Never, ever, do this.

I cannot stress that enough.

Do not give web sites your password to other web sites, email, or instant messenger accounts.

The less nefarious ones are just going to use the information that they harvest to spam your friends list or address book with invitations to their site, from you. That’s relatively harmless. (Though are you really sure you want to invite all your co-workers to look at the pictures of your best friend’s bachelor party in Tijuana? Yeah, I didn’t think so.) You also don’t know how long they are going to retain your login information or how secure the database storing it is.

The more nefarious? Who knows. It wouldn’t be the first time someone ran a scam to get login credentials by setting up a phony web site.

I’m taking this opportunity to write up a list of basic password safety tips. Then I’m going to email the link to my sister.

Five Rules to Keep Your Passwords Safe

1. Use a strong password. A strong password is one that is nearly impossible to guess. It should be at least eight characters long, and consist of upper and lower case letters, numbers, and some special characters. It shouldn’t have words or names in it, that makes it easier for a computer to break it using a dictionary file.
    
   Examples of good passwords: oh1V-emi uco!Dp5j Mor5-Xei
   Examples of bad passwords: Jeremy09 RedSox69 fatcat72
   Examples of really bad passwords: jeremy cat redsox
2. Use a different password for every account. Most people use the same password for all their accounts. Most sites also allow you to log in using either your username or your email address. What this means is that for most people, giving out their email address and password (like my sister did) isn’t just giving away access to an email account. That email address and password can also be used to log into Facebook, MySpace, Amazon, Twitter, and a bunch of other sites. Maybe even into their bank accounts.
3. Change your passwords regularly. Most people only ever change their passwords when something funny happens, like their MySpace page gets vandalized or people start complaining about getting weird emails from them that they didn’t send. Often their password was stolen days or even weeks before something like that happens and the problems would have been prevented. Every month is good, but you should, at the minimum, change your passwords a couple times a year.
4. Don’t log into password protected accounts from public computers. I know it’s tempting, but logging in to check your email from a shared computer in the airport or computer lab or a demo in an electronics store is a really bad idea. Some public places have good security policies and check their machines regularly for malicious software. Others don’t. You never know for sure; it’s safer to use your own computer.
5. Do not give out your password. The absolute easiest way to steal passwords is just to ask for them. The whole point of a password is it’s supposed to be secret. You wouldn’t give a copy of the key to your front door away to everyone that asked. Don’t do it with your password.
    
   More and more sites are asking for passwords to your other accounts during registration. If you look carefully, there is usually a tiny text link that says something like “skip this step.” If you can’t find a link that will let you skip the step, just close the page. Usually the actual registration is already completed. If you can’t find a way to ignore the request, don’t use the site or service.

   It’s really that simple. If your friend actually posted anything, and didn’t just fall for giving the site their password because they got an invite, they’re going to post the same pictures to their Facebook account and their MySpace account and their Flickr album anyway. You aren’t going to miss anything.

   The only time you should ever follow a link from an email to change your password is when you specifically requested a password reset from a site. It’s very, very easy to set up a fake website that looks just like the real thing and fake an email address. (This is called phishing.) Lots of these emails say scary things about deleting or deactivating your account if you don’t change your password. The best thing to do is go to the real web site (don’t click a link in an email to get there) and log in. If you really do need to change your password, it will prompt you to do it. Companies know how easy it is to fake these emails, so they don’t rely on scary email messages to communicate changes.

   And in the same vein, web sites already have your password. It’s in their database. And they have backups of their databases, so they are never, ever going to tell you their database was lost and they need your password. If you get emails (or phone calls!) asking for your password, go to the company’s web site (from your browser, don’t click links in the email) and find their contact information. Report the attempt to solicit your password so that they can alert their other users to the scam.

I bet by this point you’re going, “I’m supposed to have passwords that look like someone threw up their Alfabits, I’m supposed to have a different one for every account, and I’m supposed to change it every month?! How am I ever supposed to log into anything?!”

Enter password managers.