Wednesday, March 08, 2006

Keeping Track of Passwords

On any given day, I use around 30 different passwords, pin numbers or secure URLs.

On any given day, I forget about half of them.

I asked a few friends what they to keep track - here's what I got back:
"I just click that "remember" box on my browser and it fills it in automatically"
"I set all my passwords to my mother's birthdate plus my dog's name."
"I keep a notebook next to my computer."
"Post-it notes."

Then I had an impromptu discussion with the network security person at a large Silicon Valley company. He said:
"Never use autofill for card numbers or passwords, that can be hacked. Never use predictable patterns in passwords that can be hacked. Don't write stuff down and stick it to your computer. If your office burns down, or the cleaning crew gets curious, you're screwed."

So, being the high-tech geek I am - I went in search of a more secure solution. There were a lot of options, it turns out, everything from creating a file on my computer containing the passwords and password protecting that (with biometric thumbprint identification!) to purchasing an off-the-shelf password management program.

The problem is that I move around all the time and aren't always in the office.

That's when I found SplashID.

SplashID works on my TREO and safely and securely stores all of my sensitive personal information in a secure, encrypted database that is quickly accessible on both my Treo and my desktop Mac. SplashID organizes and protects all of my user names, passwords, credit cards, PINs, and it allows you to sort and categorize (web logins, travel, email, network, or whatever) and is quite secure. Here's the link to the program information site.

But I wasn't through. It seems it is "insane" (security guy's words) to use the same password or to never change your password on important sites like banking, networks, email, etc. Hacking, it seems, is just TOO simple. So, while my passwords were secure now on my Treo and Mac, they weren't secure IN USE.

Sigh.

Then another friend suggested this: make your passwords match the site your in and add some personal number or fact that naturally increments and end it all with a punctuation mark.

That means, for example, that a Yahoo! email password might be:
yahooMAY06$
... that's YAHOO for the site, MAY06 for the month and $ for the mark. Next month the MAY would change to JUN and the punctuation mark would change to @ or something.

The "naturally incrementing thing" could also be a day of the week, zodiac sign, anything that occurs in an ordered list that you can remember.

My security guy says this is "better than using "password" for your password and more secure than what I had before, but not the most secure". Most secure, he says, means using passwords that don't use WORDS (predictable) or natural increments (ibid) at all. His system prompts users with an encrypted string that serves as their monthly password that looks something like this:
$LKm32:K#;ka.(Am)@8m

That's easy to remember, isn't it?

OK, that's it... now it's time to publish this entry... now what was my password???

Back to SplashID!

No comments: