Best Practices for Passwords

We talked about how easy it is for bad people to obtain passwords. They can hack into major sites. They can run brute force attacks to crack simple passwords. And they can use social engineering to try to get you to give up your password.

Here is a list of best practices we hope you will follow to keep your passwords safe.

1. Different passwords per site. If you use different passwords on every site you use, then if someone finds your password on one site they cannot break into your accounts on others. Either create a password that uses the site name as part of the construction, or use a password keeper to help you remember.
2. Long and complex passwords. Remember that a desktop computer can crack all the combinations of a short (e.g. 8 characters) password in a matter of a day or so. Aim for 12 or more letters, mix up the upper-case and lower-case, and include some numbers and symbols.
3. Never write them down or give to anyone. The tradeoff for having long and complex passwords is some people write them down on a notepad. But if they ever lose the notepad...
4. Watch out for public computers. Signing in on public computers -- which includes the machines at Mills -- is a risk. Watch for the "remember your login" and "remember your password" checkboxes. If the machine remembers those or you forget to log off, then the next person sitting at your seat will have access to your accounts. 
5. Avoid public WiFi. Over-the-air signals are easy to crack. Try to avoid doing banking or anything secure at a public cafe. Even email is dangerous because if anyone cracks into your email, they can go to important sites, click the "forgot my password" button, and pick up a new password on your cracked email account. 
6. Watch out for phishing. Whenever a business emails you or calls you asking for your login or credit card information, beware. They might be the bad guys or might have false links. You are always better off accessing the site the way you normally do or calling the company at their published number. Legitimate companies will understand this need for security.
7. Use SSL when possible. SSL is when you can see "https://" in the URL on the top of your browser and, depending on the browser, it will display a closed lock. That means your whole conversation from that point onward is encrypted.
8. LastPass or KeePass. These are simple and secure tools that will remember your passwords for you -- regardless how complex and how many you have. LastPass plugs into the browser and will automatically fill in the sign-on information.
9. 2-factor authentication. Use 2-factor authentication for important sites that support it. Even Twitter offers this, as some celebrities fear their account getting hacked and millions of fans seeing bogus tweets. You can request the site send an SMS to your phone. You can use the Google authenticator. Or with a little less security you can answer security questions; just try to make your answers unusual so no one can guess them. Saying your first dog's name was "Fido" might be one of the first guesses.