Use Passwords? Read This Article. Now.

By  |  Wednesday, February 25, 2009 at 2:53 pm

Steve Bass's TechBiteThe e-mail from PayPal said I’d sent $400 to a gaming firm in Germany. It’s a dopey phishing expedition, I thought, and authentic-looking, for sure, but nothing to worry about.

The trouble was that when I logged on to PayPal, I really did have a $400 withdrawal. It was clear that someone had my password.

Quick Password Tips

Some of you may skim through this story, so here are the three essential things you need to know about password security:

  • Use a password generator, a program that will create a long, complicated password.
  • Don’t ever use dictionary words, even if you stick in symbols, like bill$gate$. They’re very easy to break using simple hacker programs. (LOL — Thanks, Rod.)
  • Use a different password for every important site. Using the same password on every site, especially critical ones, such as banking, is risky. Imagine using your one password on an unsavory, and possibly unscrupulous site. With that golden password, and a few guesses on your login name — stevebass, steve_bass, sbass — and they’re in like Flynn.

Who’s Got My Password?

I contacted PayPal (888/221-1161), supplied the details, and they opened up a case. My account is frozen and I don’t doubt PayPal will credit me for the loss. (As I started editing this article, they reversed the charges.) PayPal is investigating, but I don’t think they’ll ever find out how someone got into my account, though it was clear the person had my password. The rep said I probably fell for a well-crafted e-mail spoof.

That’s a blow to my ego. I see myself as suspicious–verging on paranoid — when it comes to phishing e-mails. What better prize than bragging rights to hacking a PC World guy, right? So I’m as vigilant as my dog is when I try to get her to take a pill wrapped in peanut butter. (Hey, you can’t fool me, pal, she probably thinks…)

If an e-mail — suspicious or not — refers to any of my important accounts and provides a link to click, I ignore the offer. It’s safer to manually type the URL into my browser’s address field. And yes, I’ll cover phishing hassles — and ways to guard against it — in a future newsletter.

Password: z24x680uBS4!44

I’m also careful with my passwords and, at least until now, thought they were super stealthy. For example, on PayPal I used four numbers, a symbol, and three letters. According to Microsoft’s Password Checker, my standard password pattern–1600%wtf — is strong. But it could be better.

Microsoft says that the most effective passwords are 14 characters and have a combination of upper and lower case letters, numbers, and a symbol or two. For example, z24x680uBS4!44 is strong enough for them to call it “best.”

Test your passwords on Microsoft’s site and see how well they stand up. Then browse Microsoft’s excellent Strong passwords: How to Create and Use Them. I promise you’ll learn something.

Microsoft Password Checker

Generating Strong Passwords

Creating a strong password is easy, provided you don’t try to think one up on your own. There are dozens of Web sites that’ll create passwords, but I don’t use any of them. The last thing I’ll do is trust someone online watching me create new passwords. Instead, download Password Generator, a freebie, and crank out all sorts of 14-character passwords.

Create a strong password with this freebie.

Keeping Track of Your Passwords

I just looked and counted roughly 220 sites I use that require a password.

Some site passwords, however, are immaterial. For instance, I use a simple-to-remember word for spots I rarely visit, places such as newspapers that force you to register and log in just to read articles, or tech sites with forum messages.

However, ever since the PayPal fiasco, I’ve changed every significant password on my system to a 14-digit gorilla.

Remembering all those passwords is a PITA, so you ought to consider using a password management tool. There are lots available. Many people like KeePass, a freebie; others swear by LargeSoft’s $30 Password Manager. I anticipate easily 100 e-mails — no make that 200 — kvetching that I haven’t mentioned your favorite. But as far as I’m concerned, RoboForm is the best one around, and I’ve used it since it was first introduced.

RoboForm, The Master at Passwords

RoboForm is a $30 program with more features for password management, privacy, and password identification than any other program I know. You provide RoboForm with all the vitals you might need to complete a site’s form–name, address, phone numbers, and even credit card numbers. When you click the Fill Forms button, the program does just that. I’ve created multiple identities, each with different info. For instance, I have one with MasterCard info, another with VISA accounts. I have another identify I call “anonymous” that I use to fill in forms on sites that I’ll never visit again.

Click a Web site from the RoboForm Passcard screen, and RoboForm transports your Web browser to the site, logging you in if necessary. Need an industrial-strength password? RoboForm will generate one for you. And don’t worry about security: RoboForm is itself password-protected. The program will also safely send an encrypted password through e-mail to another RoboForm user. (I was recently discussing with my wife the fact that neither of us can function without it.)

BTW, RoboForm foils keyloggers (programs that watch keystrokes) because instead of typing, it inserts characters into form fields.

Here’s a summary of RoboForm’s features, a comprehensive FAQ with answers to your most technical RoboForm questions and a way to compare the free and Pro versions.

If you need portability, RoboForm2Go gives you the same protection when you carry your passwords on a flash drive and use it outside the office. Both the RoboForm program and your password files reside on a USB key, so you can take them from one computer to another. The tool costs $40, but if you buy it at the same time you get RoboForm, the price drops to $20. If you dig around, you’ll occasionally find discounts. (Google RoboForm discount.)

Siber Systems offers a 30-day trial of both products. They work in all versions of Windows and support IE and Firefox, but not Google Chrome, Opera, or a few other browsers. Take a look at the compatibility list.

There’s lots more to say about password management, but I’m almost out of space. So while you’re hot on the topic, read Bitmill’s smart series of Password Security 101 articles. They’re less basic than you might imagine.

[This post is excerpted from Steve’s TechBite newsletter. If you liked it, head here to sign up–it’s delivered on Wednesdays to your inbox, and it’s free.]



13 Comments For This Post

  1. Joe D Vough Says:

    Most of the sites I visit are on my iPhone. With no cut and paste, it would be impossible to access them if I had to type in some crazy and long password on that lame on-screen keyboard. What’s a mobile user to do to get better password security?

  2. smithee Says:

    All good advice but your password was strong enough. It does look like it was stolen by an email phisher or by someone eavesdropping on unsecured wifi for a global password.

    I’m curious, do you know how many password attempts does PayPal allow before they lock the account?

  3. DZ Says:

    I doubt it was phishing given your caution. More likely you used the password on some other site which was hacked or you used an open WiFi spot at a cafe or somewhere and the password as sniffed.

  4. DZ Says:

    Which I guess reinforces, it doesn’t matter how secure your password is if someone else has it. recently had a data breach in which they lost every userid and password. So anyone who double dips could be in trouble. And frankly I think Monster’s behavior has been criminal – they didn’t directly notify each and every user of their system.

  5. Omarra Byrd Says:

    I actually love the RoboForm software myself. I use it all of the time and it takes all of the menial everyday tasks that I have to perform on my computer daily and shortens them extremely! What once took me fifteen minutes to complete now takes me only one second because RoboForm does the same task with just one click. In fact I wrote a Report about a lot of RoboForm’s capabilities for use that aren’t even touched on in the User’s Manual for RoboForm. You can get that Report here:

    There is also a FREE version of RoboForm that you can download on this web page, just to test the RoboForm software out for yourself! I highly recommend it!

  6. LastPass user Says:

    I use LastPass. It is free and portable. Best password manager available hands down.

  7. Matt Says:

    I love Roboform as well. I use Live Mesh to sync my passcards across multiple computers (including my work PC). Makes it nice to work from one set of passcards.

  8. Bruce Says:

    I like Atek’s Logio Secure Password Organizer because it’s TOTALLY insulated from the internet. Doesn’t even go on your computer. That seems the safest way to go!

  9. Tara Kelly Says:

    Avoiding contact with the internet isn’t necessary. There’s a data privacy patterns used by online password managers called Host-Proof Hosting that will protect data even on the web:

    That’s the semi-technical explanation. In a nutshell: your passwords are locked up with a key tht only you know. since that key is never sent to the server, not even the folks that run the pwd manager can read your stuff.

    Simple. AND you get to access your passwords from any internet connection. OR you download the desktop application, and keep it synced across multiple machines via the online service:

    Cheers 🙂

  10. Vox Says:

    Passwords are outdated and weak…use passphrases.

    I use phrases with 4-10 words in them, with spaces and proper punctuation, and no brute force attack will get them this millenium.

    Oh! and a passphrase that makes sense will actually be much much easier to remember than a cryptic random password, so you won’t write it down on a post-it on your monitor or under your kboard.

    And if the service/device you are using doesn’t allow long passphrases, then use your throwaway password or just don’t use the service/device, because it *will* be invaded due to its useless security.

  11. Tara Kelly Says:

    Yup, excellent advice. We’ve found that lots of folks get thrown off by the term “pass phrase”. In our sign up screen, we suggest they “type a simple sentence they can remember”. Works like a charm.

  12. Don Tetreault Says:

    For a mere 5 bucks, we now use Palpal Security Key for all our Paypal (and eBay) transactions. I cannot overstate the security enhancement value this key provides for online transactions.

    Paypal Security Key

  13. Don Tetreault Says:

    Correction: That should be “Paypal Security Key” (not Palpal).

2 Trackbacks For This Post

  1. Extjs Form: Change Password | Defafe Says:

    […] Use Passwords? Read This Article. Now. ( […]

  2. Gebruik goede paswoorden | Computertaal Says:

    […] je enkele tips geeft die je maar best kan volgen, zeker wanneer je een paswoord gebruikt waarmee financiële gegevens verborgen moeten […]