Kaveh Moravej

Securing Knowledge: Managing Usernames and Passwords

A key part of managing knowledge is to ensure that it's secure where and when it needs to be. With major online service providers being hacked just about every other week (Evernote being the latest casualty) , here's a reminder of a few basic steps that you can take to minimise the loss of your personal data.

Use different passwords for every site


You wouldn't use one key for your house, car, and every other piece of property that you own, so how can you possibly think that it's wise to do the same with private information? The vast majority of people keep using the same set of passwords over and over again - don't be one of them. Either use a password management tool like KeePass, write them down on a piece of note paper in a safe place, or save the information as an encrypted document. Better yet, keep this information away on a separate usb disk or other form of memory storage (preferably encrypted).

Make your password secure


As computing power increases, it grows ever easier to use brute force attacks to guess passwords. When choosing a password, avoid all words that might be found in a dictionary, or anything remotely guessable. Use a combination of letters numbers and symbols (if allowed), along with uppercase and lowercase letters, with a minimum of 12 characters. The longer your password, the better.

Choose a good password question


QuestionAll too often people choose easily guessable password questions -- In what city were you born? What is the name of your first school? What is your favourite movie? --- The developers/companies that offer these default questions deserve as much scorn as the people who truthfully answer them. If possible, avoid using this option, or type your own question and make both the question and answer as obscure as possible.

Don't use default usernames


If given the option, avoid the use of all default or guessable usernames. This adds a second layer of security, as someone targeting your account will be forced to get both your password and username right.

Keep changing your passwords


MittensWhatever you do, don't keep using the same passwords for the next 50 years. Yes, we all know your pet cat or dog meant a lot to you, but there are better ways to memorialise him/her than to use "Mittens2000" as the password on all of your accounts for the rest of your life.

A re-used password only needs to be compromised once to give someone a lifetime of access to your account. If at all possible, change each password at least once a month.

Use multi-factor authentication


A number of services now give you the option to use mobile text messages as a second layer of security. This means that anyone trying to break into your account will not only require your correct username and password, but also access to your phone. Enable this and other secondary authentication features where offered.

Trust no one


ParanoidThis doesn't mean turning into a tinfoil hat wearing paranoid recluse. "No one" means the services and companies that you willingly share your data with. You are trusting strangers that you neither know nor have met, to keep your information secure.

Even with their best efforts, they may not be able to protect your data from sophisticated attacks. It's up to you to judge the level of damage from the loss/disclosure of a given piece of information. If it crosses your personal comfort threshold, then you should keep it somewhere safe where only you have access and control over it.

It's not just about you anymore


Those exploiting security vulnerabilities are now increasingly taking advantage of our networks of trust to cause wider damage - spoofing messages from friends, family and colleagues for instance. Leaving your accounts vulnerable also leaves the people close to you open to attack.

Never blindly click on any link or install a piece of software without being 100% certain of the source. No matter how secure your username and password, if you unknowingly download and install a keylogger, all your information will be compromised.

While there's no guarantee of making anything 100% safe and secure, it's ultimately up to you to take the basic measures that that will minimise the fall-out from attacks on the many online services that you might use on a daily basis. It may not seem worth the time and effort now, but you'll be glad to have taken these precautions once your service provider ends up in the news for all the wrong reasons.

Photos: Marc Falardeau, Rob Watkins, Jeff Hall, Tim O'Brien