Many websites require users to register and create an account in order to read and access the site. Most of these are legitimate websites who are concerned about security and trying to protect their sites from attack. But some websites are fishing for your personal information.
Those sites invite you to give them your name, email address, create a password, and answer several common security questions. Then, they use the personal information that you have given them for their own purposes.
At a minimum, you have given them your email address and they can use that information to send you spam. In fact, they can personalize the spam using your name which you also have given them.
They can also try using your email address and the password to login to the most common other sites like Google, Facebook, YouTube, Yahoo, Amazon, Twitter, LinkedIn, ebay, Paypal, and every bank in America. If they succeed, they can do even more damage. If they are challenged with security questions, you may have provided them the answers.
You cannot afford to use the same password on multiple sites. You need to use a different email address and password combination for each site or at least for different levels of security.
However, to accomplish this, you need a way to keep track of hundreds of different passwords easily and securely.
Here are some rules for handling your digital security.
1. Sort websites into clearance levels.
At a minimum, you need to think about the internet landscape as three very different types of websites each with their own clearance: vaulted, trusted or untrusted.
Vaulted sites are sites which, if hacked, the hackers could do significant monetary damage. Any site dealing with money is a vaulted site.
Trusted sites are sites where you are confident that they are not abusing your name and email address.
Untrusted sites are every other site on the Internet.
2. Set unique passwords for each site.
Setting a unique password is important. Most people choose their passwords from a very small list of common passwords. In fact, sampling suggests that 91% of all user passwords appear in the list of the top 1,000 most common passwords.
3. Vaulted sites deserve a completely unique password.
The passwords on vaulted sites should have nothing in common with any other password. In rule 4, we will talk about password seeds, but no password seed should be used for a vaulted site.
If a hacker figured out the seed and algorithm, he or she could wreck havoc on your financials.
4. Trusted sites deserve a unique password, but can use an algorithm and seed to design it.
A password algorithm can be used so that you know what the password is without having to look it up each time.
Using a password algorithm is less secure than using a completely unique password. A password algorithm might pick a strong password seed and then augment that password seed with something specific from the site itself.
For example, you could take the opening line of Charles Dickens “A Christmas Carol” which reads, “Marley was dead, to begin with.” You could use the first letters of each word and form the password seed: “Mwdtbw”. You could add punctuation: “Mwd,tbw.”. Or you could reverse the capitalization: “mWD,TBW.”. The more character sets included the better, so utilize upper and lower case, numbers and symbols.
Using the same password seed across multiple sites is dangerous if you don’t have a good algorithm though. It is possible that hackers could determine your algorithm and reverse engineer what your password might be on other sites. Adding “Facebook” to your Facebook password, for example, makes your algorithm obvious.
Hackers are very good at guessing passwords so you should beware before using any common algorithms. However, inventing a clever algorithm and seed for yourself can make passwords both easy to remember and completely unique.
Using a key vault such as KeePass allows you to keep a folder of all the sites using the same type of algorithm so that you will have a complete list if you ever want to change it.
5. Untrusted sites shouldn’t even use your email address.
Untrusted sites are the most dangerous of all.
Whenever you are wary of a site for which you have to register, you should register using a throw away email address. Throw away email addresses can be created at a number of sites for free like gmail, yahoo, or gmx. If the site decides to spam you, it will only spam a throw away email which can be replaced at any time.
The throw away emails should only be used on untrusted sites, that way if they are compromised no trusted or vaulted sites are compromised with it.
Untrusted sites should also use a different password seed and a different algorithm. That way, if they do prove untrustworthy, they will only be able to hack other untrusted sites.
Furthermore, you should not provide it with your real information.
Pick a fictional person and use their name to register. Answer all the security questions as though you were that person. Name: Ebenezer Scrooge. Favorite book: A Christmas Carol. Birthplace: London. First employer: Fezziwig.
This way, if this site is fishing for your personal information, it will not get any from your registration.
6. Keep an encrypted password vault.
In order to keep all of your digital access straight, we recommend using a password vault. One of the best is a program called KeePass.
To quote their website:
KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).
We keep KeePass installed on our computer and the database backed up on a keydisk. In case of a computer failure, reinstalling the program allows you to read the version backed up on a keydisk.
A husband and wife can each maintain their own KeePass, and yet have the password to unlock their spouse’s file in an emergency.
Passwords are easily looked up and can be copied and pasted for easy access. KeePass even clears copied data after a minute to protect your password.
Because KeePass remembers passwords for you, this allows very unique keys be set for your most sensitive accounts.
KeePass can also generate very strong unique passwords for you for every site. You will have to open KeePass before accessing each website you use, but you will be more secure as a result.
Photo used here under Flickr Creative Commons.