Phishing at Hotmail, GMail, Yahoo! Mail, etc.
Recent password exposures at a number of online email services remind me to give a little advice on passwords.
Definitely use this as a reminder to do something about your passwords – but don’t do the obvious thing. Don’t rush round and change all your passwords right away.
Don’t change your passwords, change your password habits.
- Don’t use the same password everywhere.
If your password gets exposed, or the service owner is malicious (or has a malicious staff member), you’ll be exposed everywhere.
Many times, of course, you will be unable to use the same password everywhere, because one site will require a symbol, and another will not allow that symbol. It is better to cope with this than to have to try and synchronise all your passwords. - Write down some of your passwords.
What, seriously? Yep. Write down those passwords you don’t frequently use, and lock them away. Or store them in a password-protected (encrypted) file, whether that’s a Word file, Excel spreadsheet or any number of other storage mechanisms that will allow you to encrypt your passwords and store them away. Now you have replaced multiple passwords to remember with one.
See point 1, though, make sure the password encrypting your password store is one you don’t share with any other sites.
There are products out there which will protect your passwords for you – whether they are called password safes, vaults, strongboxes etc, they all do basically the same kind of thing. - Consider what passwords should be accessible to others.
This may sound like bad security – and in a managed environment where others can always exert administrative rights to access files and systems that your passwords were used for, you should generally not be sharing your passwords.
But think on this – a friend of mine received a traumatic train/brain injury, and though his recovery borders on the miraculous, there are many things he has forgotten. Passwords seem to be the hardest for him to hang on to, and he has had to recover through other means – sometimes simply wiping and recreating the system.
Just as you have a will to direct people how to continue after your passing, store safely away account details and passwords so that your affairs can be brought into control if you are interrupted like my friend, or more permanently disconnected from the Internet. And make sure someone trustworthy and reliable can find that store when necessary. - Plan to change your passwords.
If you don’t occasionally change your passwords, you will not know how to change them when it comes time to do so in a hurry.
At several times in my professional career, I’ve had to deal with accounts whose passwords might have been exposed, whether through departing employees, lost password sheets, and at some of those occasions the natural security response of ‘change the passwords as soon as possible’ results in major push-back, by teams who have never changed their passwords, don’t know how to achieve it quickly, and aren’t sure what other applications depend on those passwords.
If you don’t regularly change your important passwords, you’ll be flummoxed and panicked when it’s actually necessary to do so, and you may break something that depends on those passwords being synchronised. - Change your passwords often enough, but not too often.
How often is too often?
How often is enough?
Difficult questions – often enough that you can remember changes to the systems to figure out why a password change caused some difficulty, and often enough to cover departing employees or others who might have had legitimate access once, but shouldn’t have access any more.
Too often is when you get so tired of changing your passwords that you start regretting the process entirely.
There are no doubt dozens more things that could be suggested as good password practice, but these five will stand you in good stead.