Password Hygiene
In the early days of the web, passwords were more of an annoyance, perhaps even a novelty. Who was going to hack your Geocities account, and if they did, what would they really be able to do?
Today, things are profoundly different. It's almost laughable, how naive we once were. The consequences of a hacking in today's world are no laughing matter for our clients or us.
You've probably read many articles over the years about password hygiene; especially in light of the revelations from Experian (this hacking is terrifying, by the way). In the past, such admonitions and recommendations were ambiguous and could easily be put aside, especially with all of our other deadlines.
This week's post is meant to give you a few simple steps to help you beef up your passwords, and shouldn't take that long.
Here we go:
Don't use "password", "password12345", or any iteration of password.
Don't use any publicly available information (date of birth, kids' names, anniversary, mother's maiden name, etc.) If it's public, or posted to social media - don't use it in your password or challenge questions.
Don't put your passwords on a sticky note attached to your computer.
If you must print your passwords out on paper, keep them in a locked drawer when not needed.
When making passwords, here are two methods that we've found helpful:
Method #1: Memorize the way it "feels" to type the password - similar to playing notes on a piano. The (sample) password "HGl1e?ZP3y" might look strange, but if you memorize the keystrokes, it can be a cinch to type.
You can use a string of characters like this as the "core" and then add on a prefix or suffix for additional sites. We're accountants after all - we love patterns. So adding a tag such as auL, buL, cuL, duL, euL to the end of the "core" string can give you a lot of mileage out of a single password.
Method #2: Create a phrase such as, "MSATP is good for me." Then modify some of the lettering and throw in a few "spoilers" to get something like, "msatP7is6gooD5foR4mE!" The spoilers in this case are descending numbers that separate the words in the phrase. The last letter of each word is capitalized. There is a special character at the end of the phrase.
Pick a method that works for you and be consistent.
Challenge questions present a tough choice. It should be memorable, but should not be remotely related to anything publicly available about you (including your social media postings). If [Major Social Media Website] knows your city, your date of birth, and your name - you are at risk for hacking because of challenge questions. So, if the challenge question is for example, "What is your dog's name?" - the answer should be something like, "Oscar Meyer", or "I don't have a dog", or "I'm a cat person" - but not your actual dog's name.
If all this is making your head spin, consider a password locker. Bob Jennings covered this in last year's technology seminar. Be sure to ask him about it during the upcoming CPE season (Sign up for your seminars early!) Be prepared to pay a monthly fee for a password locker service. Personally, I prefer to make my own passwords using method #1 - but to each their own.