If you have been using the Internet for more than about a week, you have probably accumulated a list of user names and passwords that are required in order for you to access certain websites: online banking and bill-paying, Facebook, MySpace, Twitter, other social networking sites, online shopping sites, G-Mail or Yahoo! webmail, PayPal, music and media sites, etc. User names and passwords are great security measures to keep other people from having access to your personal information. If you don’t have a reliable way to remember all those user names and passwords, however, they can keep YOU from having access to all those wonderful online services with which you have established accounts.
There are some important guidelines that should be considered when creating user names and passwords, and also when storing and retrieving them.
OK, so let’s see a show of hands. How many of you have ever written down your user names and passwords on yellow sticky notes and then left them on the front of your computer monitor? Or maybe they are all written down in a little notebook that you carry in your pocket or purse at all times. While these are reliable methods for recording and remembering your log-ins, they are certainly not very secure methods of storage. Anyone who happens to come into your house or office can easily see your sticky notes. And what if you were to lose your little notebook? Whoever found it would have access to all your online memberships, and could wreak all kinds of havoc in your life.
Now, how many of you use the same password for all of your log-ins? Come on, get those hands up! Or maybe you switch between two or three different passwords. How many of you have passwords that are pretty easy to remember, like “paul1962” (first name and year of birth)? The problem with these tactics is that they are easily cracked and therefore provide you with nearly ZERO security. And security is the very reason for having user names and passwords to begin with!
The problem with using secure passwords, however (for example,
cV'A&T*S6R+v\w$Us5Nd), is that there is no way you are going to be able to recall such passwords from memory, especially if you have a different secure password for each site. So, what’s the solution?
Allow me to suggest some important guidelines for creating, storing, and retrieving secure logins.
Let’s begin by discussing user name strategies. The absolute best practice, strictly from a security standpoint, would be to have a randomly-generated, highly-secure user name and password for each of your logins. However, I want to suggest that there is a good reason to NOT have your user name be randomly-generated and highly secure.
Your user name is how you identify yourself to the site you are logging into. It’s like walking up to a locked door and knocking. Then a little window opens at about face level, and you see the nose of someone on the other side of the door who asks you, “Who is it?” My response would be “Paul O’Rear”. Or, if I had a special code name, I might say something like “Big Blue Bear”. But I probably would NOT identify myself by responding to his question with “cV’A&T*S6R+v\w$Us5Nd”.
Admittedly, that is a pretty low-tech example. What about in the world of the Internet? Many sites (especially social media sites) use your user name to identify you to other users of the same service. For example, if you leave a comment or post a bulletin board entry, your user name will be posted to identify who the comment or entry came from. It makes a whole lot more sense for people to see that the post is from “paulorear” (or even “BigBlueBear” than from “cV’A&T*S6R+v\w$Us5Nd”.
In today’s social-media-driven world, many people have accounts with numerous different social media outlets. A lot of people will have a Facebook page for mostly personal communications (e.g. reconnecting with old classmates), as well as a LinkedIn account for more professional connections (although Facebook is being used more and more for business connections as well). There is some merit to the idea of developing a consistent identity, or “personal brand”, that you would use across all these social media sites. For example, if you participate in several social networking sites, you might want to choose a user name that obviously represents you, and use the same user name across all sites. My “personal brand” is “paulorear”. I have used that same user name to establish accounts with various social media sites such as Facebook, MySpace, Twitter, LinkedIn, and a number of others (though they are not all currently active).
It is your choice whether to use secure user names and passwords, or a personally-branded user name with a different secure password for each site. The primary key to secure logins is the password, which we will discuss next.
It’s time to move past the world of using “hellokitty123” or your birthday written backwards as a password. It’s time to move past the world of sticky notes or pocket notebooks for password storage and retrieval. In today’s world of identity theft and other cyber crime, there is simply too much at stake.
All passwords that you use to access any web-based site or service need to be randomly-generated and highly secure.
But, how am I supposed to remember all those impossible passwords? You don’t have to remember them! You just have to be able to store them somewhere where only you can retrieve them. There is a way. Actually, there are several ways.
Enter the password manager. A password manager is a software program that allows you to store and retrieve any user name and password for any login. If you were to Google the phrase “password manager”, you would be presented with numerous links to websites selling or giving away such software. I want to spend the next few minutes telling you about the two-prong approach to password management that I have settled into.
KEEPASS PASSWORD SAFE (http://keepass.info/) “is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).”
I have been using KeePass for quite some time, and am completely satisfied with its performance. One of the beautiful things about KeePass is that it can even be run in portable mode. “Download this ZIP package and unpack it to your favorite location (USB stick, …). KeePass runs without any additional installation and won’t store any settings outside the application directory.” The beauty of running it as a portable application is that you can carry the whole thing, program and password file, on a thumb drive and use it anywhere without having to “install” the program into Windows! It also leaves no trace of itself on the host machine after being run in portable mode.
KeePass also has a built-in random password generator, which I use all the time. You can tell it how many characters to use for the password, what types of characters to use, and then click the button to generate a random password. If you don’t like the password generated (which theoretically shouldn’t matter since it is random, after all!), you can click the button again and again until you get the one you like. Once you have a password that you like, you just click the “Accept” button, and it fills the password into your database for that particular login.
The only problem I have had with KeePass was not actually a problem with the program itself, but with my hardware. Initially, I ran KeePass in portable mode just as described above. Everything worked perfectly until one day when I put my thumb drive into the USB port on my laptop, and there was nothing there. Every file that had been stored on my thumb drive had vanished. To this day, I have no idea how that happened, but all my passwords and user names were gone. (I hate to admit this, but I didn’t have a backup of my KeePass password file, either. That would have solved the whole problem. BACK YOUR STUFF UP, PEOPLE!)
I still use KeePass, and have recreated most of my logins (a very tedious process that could have been avoided if I had simply backed up my original password file. BACK YOUR STUFF UP, PEOPLE!) However, I have added a second prong to my password storage and retrieval process. This might seem like overkill, but it works for me.
ROBOFORM (http://www.roboform.com/) “is the top-rated Password Manager and Web Form Filler that completely automates password entering and form filling.” The thing that I like about RoboForm is the fact that it will not only store your login information, it will also, with one click, fill in that information on any particular website for which you have saved login information. It works very reliably, and has consistently received high marks from software reviewers.
RoboForm isn’t free like KeePass is. It is available through Trial Pay, however. Trial Pay is a service that rewards you with free stuff (like RoboForm software) for trying an offer from one of their sponsors. Some of the sponsor offers are free or very low-cost, which might make it worth checking out. You can get started at http://www.trialpay.com/checkout/?c=djojaj.
So, to wrap it up, here is the process I go through any time I am creating a new login.
- Go to the login page for whatever site or service I am joining.
- Open KeePass and create a new entry.
- Type the pertinent information into the KeePass fields (site title and user name; I can also enter the site URL and any miscellaneous notes if needed).
- Generate and accept a random password using KeePass, and then copy the password into the Windows clipboard (Ctrl-C).
- Type in the user name on the login page for the site or service I am joining.
- Copy the password (using Ctrl-V) into the password field on the login page for the site or service I am joining.
- Click the submit button on the login page for the site or service I am joining.
- RoboForm pops us a dialog box asking me if I want to save the login information from this page into the RoboForm database. I click “Save”.
That’s it! Next time I visit that same login page, RoboForm lets me click one button to fill in the user name and password. Because I started the process by generating the password in KeePass, I also have a copy of the login information there as well.
One final piece of advice: BACK YOUR STUFF UP, PEOPLE! In a future post, I will share with you the automated back-up process that I now use to protect myself from data loss.