Best Practice: Account Passwords

Your username and password are the easiest tools a thief has to making money. There are a range of easy and complex tools available to allow even the...

730 1
730 1

Your username and password are the easiest tools a thief has to making money.  There are a range of easy and complex tools available to allow even the dumbest criminal to get into your online life.  New online “Cloud” systems provide infinite computing power to crack your password.  Smart “Cracking” systems try common words first, essentially testing every word in the dictionary.  Once they get into one of your accounts, they have your password and email address.  Assuming they are out to get you, they can then go after other common accounts like Twitter, Facebook, etc.  Practically though they are more interested in breaking into your credit card/bank account to access information that then gives them access to cash.  Credit card numbers sell on the open market for $0.50-$5.00/valid number.  Sometimes rather than buying a security alarm, people will simply put up a sign saying “This house protected by….”, because there are enough homes without a security alarm that a thief can steal from.  In a similar way, the tougher you make a password the more likely the bad guys will go somewhere else.

The easiest way to steal a password is to use a face web page that looks like your Gmail account.  When you log in, the software grabs your password and sends it out to the bad guys.  So never put your password into a web page if you got there from a email link.  Security Beacon users should adhere to the following practices:

Basic User
  • Use the longest password you can – There are 94 “Printable characters” that can be used in most passwords, so having 9 rather than 8 letters in your password makes it as much as 94 times harder to crack your password.
  • Include letters, numbers, symbols, capitals, and lower case.
  • To improve memory use a combination of a few objects you can remember: chicagO#suzY%1029 (a place you know, your first girl friend, last 4 digits of your childhood phone number, plus some annoying symbols)
  • You might also include the service name to make it a bit more difficult “chicagO%twitter” for your twitter, “chicagO%facebook” for Facebook.
  • If you are logging into an online service in a public location, or any time for that matter, precede the web address with “https:” rather than “http:”
Advanced User
  • Change your user name, using a different email variation.  Gmail and other systems let you create Alias email addresses.  This can mitigate the damage if they get your password because they would need to get the username and password correct on your other accounts.
  • Tier your passwords – if you are logging on to a simple system that sends you news reports or such, use a basic password – one that you don’t care if someone gets it.  For your special accounts with financial data, use a totally different password scheme.
  • On each of your online accounts go to the security/account sections and be sure to turn on HTTPS:, 2 Factor authentication, backup password questions, etc.
  • For email, never use a web browser to get your email.  Setup all your email accounts to use Outlook, Thunderbird some other client.  Make sure your configure your email account to use SSL or TLS.
  • Never log in to an online account from someone’s computer.
  • Never log into an online account using your computer over a public wifi network.
  • Run CCleaner weekly to clear your browser cache
Paranoid User
  • Use a password keeper program (See IronKey Personal S200) to generate a random password for each important online account
  • Use a different username for important online accounts.
  • Some online services, like Facebook, will track you browser/IP address and only let you log on from certain locations – turn this feature on
  • Run CCleaner daily to clear your browser cache
In this article

Join the Conversation

1 comment

  1. Criminals using cloud computing to break encryption - Security Beacon

    […] Security Beacon Best Practice: Passwords […]