Keep your data safe by following the Password Commandments
Your first--and sometimes only--line of PC defense is your password. Even the most carefully crafted password can be rendered useless if you don't keep it secret. This is not such an easy thing to do, especially considering all the clever tricks data thieves have come up with to grab it, with or without your knowledge. More dangerous is the lackadaisical approach many people take to creating, using, and protecting their passwords. Here are 10 ways to use passwords to best effect.
1: Don't write it down. Ever. Either it will be so easy to find that you might as well not use any password at all, or you'll forget where you put it and somebody else will find it and use it to access your system. You may think your password is safe on that sticky note inside the third appendix of "Mastering OS/2, Second Edition," but that's the first place your larcenous pet walker will look (apologies in advance to all pet walkers for disparaging their noble profession).
2: Devise a password-creating system that's all yours. There are dozens, hundreds, maybe even thousands of Web pages and other resources offering advice on how to craft strong passwords. Of course, these are the first places the people in the business of cracking passwords look for tips. It's not difficult to come up with your own system that combines a variety of methods. One possibility is to start by reversing an inactive phone number from your past, then convert the numbers to letters, so "213-555-1212: would become "bm-eee-ll" (remove the hyphens, if you wish). Make it even stronger by adding the street name of your childhood home converted from letters to numbers, which would change "Maple" into "13-1-15-12-5". Now really mix things up by placing the numbers inside the letters: "bme13115125eell".
The benefits of having your own system over using a random password generator is memorability: If you remember your system, you'll look at the above sequence and see the phone number and street name, not just the actual letters and numbers. No, I won't tell you the password-creation system(s) I use, but they don't have anything to do with old phone numbers or street names. Honest.
3: Don't send your password via e-mail or give it out over the phone. OK, there are exceptions to this "rule," such as when your company's help-desk staff are troubleshooting your system over the phone, but even in those rare instances, it's a good idea to change your password immediately after you give it out (see more on changing your password below).
4: Disable AutoComplete for user names and passwords. Yes, this feature of Internet Explorer, Firefox, and other browsers can save you time when you're online, but it also lets anyone who gains access to your Windows login, or to your PC when you're logged in but away, to visit all the secured sites in its database, change the passwords, and otherwise act in ways you may not appreciate. To disable this feature in IE, click Tools > Internet Options > Content, and choose the Settings button in the AutoComplete section. Uncheck User names and passwords on forms (you may also want to uncheck the other two AutoComplete options: Web addresses and Forms). Click OK, and then choose the General tab, and click Delete > Delete Passwords (and any other options, or Delete all to wipe your browser clean). Click Close and OK.
Uncheck User names and passwords on forms in Internet Explorer's AutoComplete Settings dialog box.
In Firefox, simply click Tools > Clear Private Data (or press Ctrl-Shift-Delete), check all the items, and click Clear Private Data Now.
Erase personal information from the Mozilla Firefox browser by checking items in the Clear Private Data dialog box.
5: Change your password often. Even if you haven't had reason to share it recently (as mentioned above), get into the habit of refreshing stale passwords. The more important the data your password protects, the more often you should update it. One way to force yourself to change your Windows login password is by using the password options in Local Security Policy (it's called "Local Security Settings" in Windows XP). In XP, click Start > Run, type secpol.msc, and press Enter. In Vista, press the Windows key, type secpol.msc, and press Enter. In both versions, select Password Policy under Account Policies. Double-click Maximum password age in the right pane, enter the number of days you want to go between passwords, and click OK. The other options in this dialog box let you enforce password history, set a minimum password age or length, require that the password meet Windows' complexity requirements, and store encrypted passwords.
Force Windows to require a new login password after a set number of days via the Local Security Policy dialog box.
6: Clear the cache after using a public PC. If you log into a Web site from a PC other than your own, make sure you wipe out all traces of your use by deleting the browser's personal data. See the steps described in "Disable AutoComplete for user names and passwords" above.
Note that many public PCs reset to the defaults as soon as you log out, but don't trust them. In fact, it's good practice to change your passwords whenever you use them in a public setting, even on your own laptop after attending a conference or other event, for example. Snoops love to hang out at such places, whether using a keystroke logger, or simply looking over your shoulder as you log in.
7: If it's too valuable to lose, don't keep it on your PC. If you just discovered the secret to changing marshmallows into gold, you may not want to trust the formula to any hard drive, whether or not it's password-protected, or connected to a network at all. In addition to the threat of data-crackers, the drive could fail, leaving your fate in the hands of some data-recovery service. If you have to store a digital copy of some important file, place it on an optical disc designed specifically for archiving, and store that disc in a safe place, such as a bank deposit box. And--of course--make a copy that you store in a separate, secure location. When optical drives are replaced by some new-fangled storage medium, copy the data to a secure version of that medium, but you probably don't have to worry about this for at least a couple of years.
8: Create a password-reset disk. It doesn't have to be a floppy, which is a good thing since few new PCs even have floppy-disk drives. But a reset disk is the best protection against a bad memory--yours more likely than the computer's. Log into the account you want to protect, open Control Panel's User Accounts applet, select the account, and in XP, click Prevent a forgotten password in the left pane. In Vista, click Create a password reset disk in the left pane. Step through the Forgotten Password Wizard, selecting the removable medium of your choice when prompted. Label the removable device appropriately, and store it somewhere safe but easy to remember. It's one thing to forget your password, but quite another to forget where you put your password reset disk.
9: Use a password-management utility. I hesitate to rely on a third party to protect my passwords, but one that has been around for a long time is RoboForm, which comes in free and $30 Pro versions.
10: Ask for some help to reset your password. If you've forgotten your password and don't have a password-reset disk handy, log onto another administrator account on the system, open the User Accounts applet in Control Panel, click Change an account in XP, or Manage another account in Vista, select the account, and change the password. A couple of weeks ago I described how to activate Vista's hidden administrator account.
You can also change the password by booting from your XP install CD and running the Repair option. Vic Ferri provides step-by-step instructions.
Tomorrow: the quick, simple, and free way to embed videos in e-mail.
Dennis O'Reilly has covered PCs and other technologies in print and online since 1985. Along with more than a decade as editor for Ziff-Davis's Computer Select, Dennis edited PC World's award-winning Here's How section for more than seven years. He is a member of the CNET blog Network, and is not an employee of CNET. 
I have to keep track of two dozen passwords, 3/4 of which expire all the time and need to be changed. I'm not supposed to write these down? I'm supposed to trust a PC to handle this? What if I lose a HDD? Now my entire pwd management system is hostage to data recovery firms?
No thanks. Keep a laminated sheet in your wallet, or in a locked drawer somewhere.
Dennis
Sure writing down your passwords is the safest idea - if done in invisible ink. If not, Password Commandment #9 (a reliable password manager) may actually replace Commandments 1-10!
I work for PassPack, a password manager and the commandments were all right on the mark and exactly the message that we try to put across to people. Check our homepage for a list of features:
http://www.passpack.com/info/home/
Choose and use a password manager.
Louise Vinciguerra
- by Hoochieman June 19, 2008 10:33 PM PDT
- I use Cute Password Manager to manage my web accounts, it's free.
- Reply to this comment
-
(7 Comments)http://www.cutepasswordmanager.com