Better Living Through Passwords

First Published: NetAnswers Internet Extra newsletter
Date Published: 1998
Copyright © 1998 by Kevin Savetz

Your password is the only thing that stands between your account and the rest of the world. There's a fine line between allowing easy access for yourself and keeping other people out. This week, Kevin climbs on his soapbox and explains how to prevent heartache the next time you're asked for a password.

I have seen it happen a thousand times: an inappropriate, perhaps nasty posting appears in a mailing list or newsgroup -- followed a day later by a breathless, apologetic message. The excuse is always the same: "Someone else got in to my account and abused it." The specifics are always different: a roommate, an ex-girlfriend, a kid or a complete stranger might take the rap. The effects on the victims are many: they'll be forced to pay for someone else's access, they look foolish, their important files are deleted, private information about them gets out.

Your password is the only thing that stands between your account and the rest of the world. So make it count.


Words and names that describe something about your life are among the easiest passwords to remember. They're also the easiest to crack, if the cracker knows anything about you. So don't make your password your name, your girlfriend's name or your dog's name. Don't make it your address or phone number. Don't think it's clever to use any of those names backwards. Crackers will think of that, too.

And please, don't use HELLO, PASSWORD, or SECRET. In fact, you shouldn't use any word that's in the dictionary. It is trivial for an account cracker to write a program that tries every word in the dictionary in his quest to access your account.

A good password is easy for you to remember but difficult for others to guess. So, while your home address would be a poor password, the address of your childhood home might be a better one.

A really good password contains a meaningless combination of lowercase and uppercase letters, numerals and maybe a symbol or two. These are hard to crack -- but hard to remember as well. Try this technique: create a password from the first letter in each word of a phrase that you can easily remember. (For instance, song lyrics -- "Yesterday, all my troubles seemed so far away" might become "YamtSSFA!")


Life would be simple if your CompuServe password was the only one you had to remember. Sadly, life isn't so simple. Many web sites require that you log in -- and every one of those requires a password.

Now, you _should_ use a different password for each and every site. But I suspect it's not uncommon for busy web surfers to have accounts at a dozen or more little web sites. It can be inconvenient to invent and remember a password for each one. I will grudgingly admit that I sometimes reuse passwords for web sites. Don't do this if the site allows you to write messages or e-mail (for instance, HotWired, HotMail or My DejaNews), or for sites that contain personal information (if your entire stock portfolio is tracked at My Yahoo, you probably won't want others poking around in there).

Whatever you do, don't use the same password at any web sites as you use for CompuServe, your Internet service provider, or any of your "important" accounts. It can be easy for a web site maintainer to tell what your password for that site is as well as who your ISP is. Reusing your CompuServe password is tantamount to giving an unscrupulous webmaster the keys to your account.

-.-.- AUTOMATIC LOG-IN -.-.-

Many services and web sites give you the option of storing your password in your computer, providing the convenience of logging in without straining your brain to remember your password. Even CIM, most users' gateway to CompuServe, does this. It's a tempting feature, but it should be avoided if anyone else has access to your computer. Auto-log-in is a bad idea if your computer is in a busy office, a shared laptop -- or even a home computer if you don't quite trust your roommate or pesky siblings.

-.-.- LOG OUT! -.-.-

When you're done with your on-line adventure, always, always, always remember to log out. If the web site that you're visiting has a "Sign off" link, press it. Then make sure you log off from your Internet access provider. If you don't, a miscreant with physical access to your computer won't even need to guess your password in order to make your life miserable.


Finally, change the passwords for your important accounts regularly: at least every three months. Set up a schedule for yourself -- perhaps changing your passwords on the same day you change the oil in your car.

I know, it seems like such a bother -- setting up all those different passwords, changing them regularly, then searching your brain for the right one every time you need to log in. Yeah, it's a pain -- but not half the pain you'll feel if some loser cracks into your account.

Articles by Kevin Savetz