By R. Alan Clanton
Thursday Review Editor
There's an old joke told by computer geeks that goes something like this: during a routine review of office security, the computer guys notice that an employee's new sign-on password is MickeyMinnieGoofyPlutoDopeyGrumpySneezyPopeyeTiggerDoraTallahasseeAustinZero. When asked why the password was so long, the employee snorted irritably and then read aloud the company's own guidelines: passwords must contain at least 10 characters, two capitals and a number.
We live in an imperfect world. There are people out there who have the technology and the skills to steal your personal information, at any time. That’s the bad news. But there is good news: as a consumer and average Jane and Joe citizen, you can still take a few smart steps to keep your personal information secure.
The first step is to remember that the single most important factor in any computer or software purchase—or, for that matter, the purchase of a cell phone, smart phone, tablet, Blackberry, notebook, router, or online account—is the password.
There are hundreds of great articles about password safety out there, largely because the topic remains relevant and newsworthy. Just last week several major banks experienced online shutdowns as a result of hackers, including a particularly damaging attack on American Express. In February an infamous computer hacker in New Zealand announced, amidst much fanfare, his plans to make available millions of items of previously secure data via his underground website and his other online venues. NBC News reported recently on how hackers can easily break into your desktop computer or laptop, activate the webcam application, and watch everything that happens in your life--or at least those things that happen near your laptop. Venerable institutions such as The New York Times and The Wall Street Journal have had their databases recently hacked, apparently by Chinese super hackers bent on sniffing out reporters' sources when it comes to business and political news from Asia. And just last month hackers pried their way into Burger King's Twitter and Facebook accounts, logging outrageous but humorous posts--including a false report that McDonald's was buying out Burger King.
For most average users of modern technology, the password evokes a special love-hate emotion. On the one hand, passwords need to be easy enough for us to remember—without writing them down. On the other hand, passwords should be difficult for intruders to figure out. These two prime directives therefore seem a contradictory set of priorities.
And to make matters worse, experts tell us that we should never—under any circumstances—use the same password (or passwords similar to one another) for multiple applications, devices or accounts. To do so is to invite serious problems. For example, an account intruder or hacker who figures out the password to something simple—like your smart phone’s voice mail account or your Facebook account—might easily deduce, often in only a few steps, passwords for more important aspects of your life. And if you are like most people, your life is already a mind-numbing hodgepodge of usernames and passwords.
So what to do? Residential and consumer security experts explain that there are no shortcuts. In a world in which we are increasingly dependent on electronic and online banking, internet bill payments, and online purchasing, we should accept the complexities that come with the convenience. Some of the basic steps one can take include the following:
1. On accounts for which you do not need routine access, or for which there is little risk of someone instantly stealing your savings—such as your 401K, your IRA or other retirement accounts, homeowner loans—write down username and password information but keep the material in a locked file cabinet, safe, or other secure location. This will provide a slight bit of leeway for your already-burdened password memory. Otherwise, do not write down passwords.
2. Never create passwords which include all or part of your name, birthdate, street address or phone number. Hackers armed with even small amounts of information can use these snippets to fish for additional information—sometimes by simply calling a company you do business with, such as your phone company, cable provider or utility provider.
3. Never create passwords which include names of children or names of spouses. Smart hackers will attempt to crack your password using this information first—and, yes, criminals know how to look up names of your family members online, often for free. Some low-cost websites offer names, family members and birthdates drawn from public records.
4. For the same reasons, avoid any password which is merely a combination of the above items: child’s name, followed by birthdate; or, initials of child followed by birthdate. A bad example: Anna081599.
5. Never create a password with your current street or city. These can be easily cracked. Example: MapleAve.
6. Never create a password which uses a familiar trait or fact about yourself, or one which uses common words or phrases or sports team names. Bad examples: NotreDameFan; CornhuskerGrad.
7. For the same reasons, never create a password which simply restates you hobby or profession: Examples: BassFisherman; CarSalesman.
8. Never, under any circumstance, use phrases like “password1” or “my computer” or “Bob’s laptop” as your password.
9. Avoid passwords which are phonetically direct or maintain “readability,” as in a password such as RetiredArmySeargent. As with the team names and hobbies, these can not only be easily figured out by individual hackers, but can also be easily defeated by attacks from outside computers programmed to run alphabetical trial-and-error assaults.
10. Always include in your passwords capital letters and lower case letters, numbers, and typographical symbols. This may make passwords difficult to remember, but it is a step which deprives the hacker of many tools.
11. Make sure your passwords do not include any information which may be easily found on your Facebook account, or similar social media, such as My Space, Classmates.com, Deviant Art or LinkedIn. And when using any form of social media or email mail service (such as AOL, MSN, gmail or Yahoo), use the strictest discretion about what information you make public, or the type of information you share even with friends. Some of the most popular social media sites share the name of your hometown, your city of birth, your age, and sometimes even your birthdate with hundreds, if not thousands, of other people. Many email programs make it all too easy to provide too much data about yourself in the contact and set-up menus, so take care when adding your cell number or your date of birth.
So, how does one develop a password easy-to-recall but hard to crack? Plumb your life or past for something unique about yourself, then form the password to be as resistant as possible to “reading” or “phishing.” Example. You may have been an actor in high school and college for seven years. Instead of CollegeActor, or HighSchoolThespian, try this: TheZbN7evenYe@rS. This type of password would generally defeat even the most industrious hacker, but once memorized would be easy for you. Passwords can be built around memories or vivid details from your past life--a vacation destination you took as a child, the name of a favorite dog or pet fish, a favorite teacher in elementary school--and again, with as much variation in the capitals, lower-case and typographical symbols as possible. Use whatever mnemonic tools or tricks you need to keep it available in your head, but never write it down unless you can guarantee it remains in a secure location. Lastly, never use a wireless device in your home--such as a router--unless that device has been secured with a unique (and difficult) password. Not only does an unsecure router enable people to surf the internet for free, but, depending on the range of the router, neighbors and interlopers several blocks away may be able to easily see your most personal information--and in some cases even track your computer keystrokes to crack open passwords to your other applications.
In short, there are no easy solutions to the great password dilemma most of us face. To make matters more complex, many workplace applications and functions require employees to routinely change their passwords, sometimes after only 90 days. And it would be obviously unwise to simply switch one app's password to that of another, though many people do exactly that.
Of course passwords can only protect your world up to a point. Mega hackers--as in the alleged assaults and intrusions by Chinese or Russian hackers into the formidable walls of the New York Times, The Washington Post, and Linked In--still have the resources and the skills to gain access to your information if they are determined enough. And if you are like me, your best hope is that the hackers find your bank account to be less interesting than their own.