Jan
15
Each time you turn around, there’s another news story about compromised passwords and computer security. Just recently we’ve learned of massive breaches at Target, Neiman Marcus, Adobe, and Cupid Media (the OK Cupid dating site people.)
An important thing to remember is to use unique pass phrases on every web site so if one site gets compromised, the others aren’t.
For example, if the Adobe data dump revealed your password of “I-Like-CLU-in-2014″ to the bad guys, they will try to use that same password on your banking site and could rob you.
Some people resist using multiple passwords because they’re a pain to remember.
Here’s a suggestion — not perfect, but will do for the majority of sites — that will help keep things reasonably safe, while still making every password unique, yet memorable.
Given some baseline pass phrase (more than just a password) that only you know, such as the aforementioned “I-Like-CLU-in-2014″, append a site-specific suffix mnemonic to it. For example, your pass phrase for the Wells Fargo web site might be: “I-Like-CLU-in-2014.WellsFargo” while you might use “I-Like-CLU-in-2014.Target” for the Target web site.
If a “black hat” puts eyeballs on your pass phrase they may recognize the pattern, but in my opinion that is highly unlikely. When they harvest 40 to 70 million IDs and passwords at a time, they’re gonna write programs that test your credentials against other sites, not humanly scan each one individually.
As a side note, I recommend using a different e-address for each site you access. Unless you have some technical savvy and your own domain, this might be problematic. However, you can use a service such as offered by SpamGourmet.com to generate anonymous e-addresses that are site specific. I’ve had about 95% success with Spamgourmet.com addresses. In only a few cases (Redbox and the City of Phoenix are two that come to mind), the vendor blocks, drops, or ignores those addresses even though they are valid.
Lastly, it’s old news but I’ll repeat it anyway: make your pass phrase long enough that it’ll be hard to guess, with a mix of letters (upper and lower case), numbers, and punctuation.
Yeah, it’s all rather a pain in the okole, but replacing your credit cards, recovering stolen funds, or trying to repair your credit history is a much bigger pain.
John
P.S. I was directly affected by the adobe.com breach. After the breach I began receiving phishing e-mail from Russia. Fortunately the messages went to my SpamGourmet address, so I just disabled that one address without affecting my other logins or addresses.
Comments are off for this post