Security Tip: Don’t Hide Your Passwords In A Folder Named “Passwords”

duh

Did you see this yesterday? Evidently someone hacked into Sony’s computer system and found the passwords for the social media accounts for all of their movies (we’re talking about Facebook, Twitter, MySpace – I guess it’s still a player, at least as far as Sony is concerned – and YouTube) in a folder called “Passwords.”

I got a huge laugh out of it, then I realized it’s probably a lot more common than anyone cares to believe. I knew a guy who kept all of his credit card numbers in a password-protected Excel spreadsheet. Not a bad idea on the face of it, except all of the card information was visible while he was typing in the password. Other people have sensitive password information on Post-It Notes stuck to their computer monitor. Others have a sheet of paper in a folder in their desks.

I’ve started using LastPass’ password-generation routine. It generates a random string of characters (upper- and lower-case letters, numbers, and symbols) and stores them in your vault. It then populates the user ID and passsword fields automatically for you, so a keystroke logger can’t capture the password when you type it. I honestly don’t know the password for sites like my bank, my PayPal account, or my credit card payment sites. I’m starting to do the same thing for the non-crucial sites as well, like Papa John’s and some of my bulletin boards, places where I’d been using a simple password like one of my cats’ names and a few digits.

But passwords only work well when you change them frequently, and the tendency is to use something that you can remember, and to use it just about everywhere, and leave it at that. There’s always the worry that you’ll be on someone else’s computer and need one of the passwords and not remember what it is. That can be a problem: if someone hacks my Gmail account and I’m using the same password for it and my bank, that person could clean me out.

Some companies like Google use a two-step verification system: after you type in your password, they send a text message or call you with a validation code that you need to enter to access your account. I worked with a company that gave my group a keyfob that generated a random number you would use for a password, that was only good for three minutes. Still other services require you to have a USB “key” to access their systems.

We could soon see technology that uses fingerprints, retina scans, voice prints, and other biometric information to secure our accounts. Until then, you might want to consider a password manager like LastPass (Googling “password manager” gives you a list of them). Or you could use a random password generator like the one at Random.org to generate a strong password.

Just, whatever you do, don’t keep your passwords in a folder called “Passwords.”

Do you have a unique way of coming up with passwords? Have you used any technology like a keyfob or a USB key?

4 thoughts on “Security Tip: Don’t Hide Your Passwords In A Folder Named “Passwords”

  1. I’ve always been afraid of the automatically generated passwords, even though many people have said that’s the way to go. I think the reason is it makes me feel like I’m losing control over my passwords, and I’m definitely a control freak. But, no, I don’t have a folder named “passwords”. LOL. I do have a file with the passwords for work, but my personal ones are all in my head. Which is also dangerous, because what if I died and my husband couldn’t get into the accounts to pay the bills? I really need to do something about that…. I do have a password I use a lot, and there’s nothing in the password that relates to me at all. I just randomly thought of it one day.

    Like

    1. Mary’s always worried that I’m going to go toes-up and leave everything a mystery. I carry a flash drive with me that has all the critical stuff on it, and having the passwords in LastPass makes a big difference.

      If you Google “creating strong passwords” there are a couple of good articles that give hints on how to create good passwords without using random characters. Worth a look.

      Like

Comments are closed.