CALPIRG Blog

There is a good article in today's Washington Post about Hotmail losing a bunch of users' email passwords.  They took it as an opportunity to highlight some password best practices so I thought I would do the same. Following these suggestions will help reduce your risk of ID theft.

Below are the best practices from the article.  Click here for the full article.

-Make sure you have set up an alternate e-mail address for your account. Most free Webmail providers, including Hotmail, Gmail and Yahoo! offer this feature, which is usually accessible under the user account settings. This way, even if someone does manage to steal your password, you can reset it by having the "reset your password" link sent to an alternative e-mail inbox. This is especially useful should you find yourself in the unenviable position of having your Hotmail inbox held hostage and being subjected to extortion in order to regain access to it (see Your Money or Your E-mail)

-Avoid using your e-mail password as your password at other sites. If that other site gets hacked, not only do the attackers know your e-mail address, but they now also have your e-mail password. That said, many online forums that require you to pick a password and user name, and I think it's generally okay to use the same password at multiple forums, provided said forums don't store personal or financial data about you.

-Several high-profile Webmail account password compromises have succeeded because victims picked easily-guessed answers for their "secret question and answer" pair that many sites use as a password reset security feature. Often, the questions request personal information that may not be terribly secret in this age of social networking and online consumer databases. If you have the choice, create your own unique question and answer. If you must pick from a preexisting list of questions, consider choosing a bogus answer that makes you laugh and has special meaning for you (you're more likely to remember a false answer this way).

-DO NOT use your user name as your password.

-Don't use easily guessed passwords, such as "password."

-Do not choose passwords based upon details that may not be as confidential as you'd expect, such as your birth date, your Social Security or phone numbers, or names of family members.

-Create unique passwords that that use some combination of words, numbers, symbols, and both upper- and lowercase letters. One way to forge strong, memorable passwords is to use the first letter from each word of a favorite phrase, book or movie. For example, "The ratio of people to cake is too big," could be "Troptcitb," a fine and fun password (especially if you include the capitalization).

-If you need to write down your passwords, consider storing them in a password vault that encrypts the information, such as Password Safe, Keypass, or Roboform. Mac users have this functionality built into the operating system in Keychain, which consolidates a user's passwords in one place and makes them accessible via a master password or passphrase.