Learn How to Use Passwords Properly

Изучите как правильно использовать пароли

Choosing a Password

Выбор пароля

Longer and more complex passwords are more secure. If the government seizes your computer it can quickly guess simple passwords by automatically trying large lists of words from a dictionary. Automated dictionary attacks use lists of regular words as well as proper names and common variations of these (e.g. adding a number to a dictionary word or replacing letters with similar numbers, e.g. replacing o with 0).

So, if it's human-readable, it's computer-breakable. Don't use names, song titles, random words or any dictionary words at all, whether alone, in combination with numbers, or with letters replaced by numbers – the government can and will break it. For stronger password security, use a lengthy passphrase that includes upper- and lower-case letters, one or more numerical digits and special characters (e.g. #,$ or &), and change it frequently.

New computer hardware usually comes with default passwords, such as "password" or "default" or the name of the technology vendor. Always change the default passwords immediately!

Password Management

When it comes to passwords, the only truly secure password is the one that's only in your head. Written-down passwords can be seized or subpoenaed. But there's a tough trade-off — the better your password, the harder it'll be to remember. And if you forget the password and don't have it recorded somewhere, you could lose access to a critical asset at just the wrong time — perhaps even forever.

Although we recommend memorizing your passwords, we recognize you probably won't. So, here are a few other options to consider:

Use a password safe. There are a number of software tools available that will keep all of your passwords for you on your computer, in an encrypted virtual safe, which you access with one master password. Just remember to never write down the password to your password safe — that piece of paper can become a single point of failure for all of your password-secured assets. This brings another drawback, of course — if you forget that master password, you've lost all of your other passwords forever.

Carry your passwords on paper, in your pocket. This is a somewhat controversial solution promoted by security expert Bruce Schneier — even though he wrote the digital password management program Password Safe. Schneier advocates that people keep their passwords in their wallets. What you sacrifice in security, the argument goes, is made up for by the convenience — with easy access to your passwords, you're more likely to use very strong ones that you couldn't remember otherwise, plus you can access your passwords even when you're away from your computer. An added benefit is that when your passwords are in your wallet, you'll find out very quickly if they've been lost or stolen.

However, to mitigate the risk of a loss, add a certain number of dummy characters before and after the real passwords to make it harder to identify them, and use simple code-words to indicate what asset they protect, rather than saying "Chase Manhattan Bank" or "Work Computer."

Don't use the same password to protect multiple assets. Sure, it's OK to use the same password to log into the New York Times web site that you use for the Washington Post, because those aren't valuable assets. But when it comes to the important stuff, use unique passwords. That way, even if one asset is compromised, the others are still safe.

Never keep a password in the same physical location as the asset it protects, unless it's encrypted. This is the biggest password boo-boo, and it's an object lesson in security planning: if a security measure is too inconvenient for day-to-day use, people won't use it correctly. Your password is worse than useless if it's on a sticky note next to your computer, and probably useless against secret searches if it is anywhere in the same office. Again, this is why Bruce Schneier recommends keeping your passwords in your pocket — you'll have stronger passwords, and you won't leave them lying around.

Change passwords regularly. A password may have already been compromised and you just don't know it. You should change passwords every week, every month, or every year — it all depends on the threat, the risk, and the value of the asset, traded against usability and convenience.

Назад | Дальше