It seems like every time we turn around there is another system for which we need a user ID and password. It might be our banking website, our EBay or Amazon account, our Yahoo or Hotmail account, or our network login at work. With so many different accounts and passwords, it is common for people to get a little bit lax in creating and protecting their passwords. However, creating strong passwords and protecting them is important for all of us. When someone is able to get your user ID and password, your privacy, your reputation, your finances and even your freedom can be at risk. That is because that user ID and password is what identifies the user on that system as you. If someone can successfully impersonate you by using your used ID and password, you may be held responsible for any action they take.
I often go into high school classrooms and give presentations on computer security. One example I like to give to illustrate the potential for harm from sharing passwords is for them to imagine a classmate using their Yahoo account to e-mail a bomb threat to a school. Who do you suppose the police will come to visit? While they may eventually be able to prove their innocence, it will probably take quite a bit of time, effort and money.
So here are some good practices related to passwords:
- Never share your passwords with anyone. This includes family members and friends, co-workers, your boss, even Technology Services. No one at your bank or ISP should ever ask you for a password. If you ever have someone claiming to represent a company or agency with which you do business ask for a password, immediately call the customer support line for that organization and report it.
- Never include any information that someone can easily guess as part of your password. That includes names of family, friends, pets, favorite sports teams, etc; dates such as birthdays, anniversaries, etc; phone numbers; social security numbers; hobbies, favorite movies, favorite books, etc. Anything that anyone who knows you well would be able to guess is a bad password.
- Do not use words that can be found in a dictionary. Dictionary attacks can crack passwords based on common words in a matter of a few minutes to a few hours.
- Make your passwords at least 8 characters – longer is better. Passwords should also be a combination of upper-case letters, lower case letters, numbers and symbols. The more you can mix them up, the better. To give an example:
Time to crack password
|Lower case letters only||8 sec||3-1/2 min|
|Upper/lower case letters||17 minutes||15 hours|
|Upper/lower case letters and numbers||58 minutes||60-1/2 hours|
|Upper/lower case letters, numbers and symbols||20 hours||83-1/2 days|
- Try to create a “vanity plate” password that is easy for you to remember. Take a phrase that is significant to you, then begin substituting numbers and symbols for letters. For example, the phrase “school is great!” could become “$k00L1sGr8!”
- Many browsers give you the opportunity to save your credentials when you log into a secure web site. However, that information is not always encrypted when it is stored. I would recommend using this feature sparingly.
- Do not write down your password and leave it where others can find it. It is better if you can avoid writing it down at all, but if you must, keep it in a safe place, and don’t identify it as a password. Also, never write your user ID and password on the same piece of paper. Remember, they need both pieces of information to impersonate you online!