Have you ever been sitting in front of your computer, getting ready to purchase a gift for someone and just as you click on the checkout button you see the dreaded "Create a new account" option staring back at you? To me this means yet another password and user ID that I'll need to somehow remember but keep secure at the same time. To make matters worse, I need to figure out some way to allow my wife access to the account as well, without leaving the password lying around for any and all to pick up and use.
My idea: Create a password list!
Here's my example:
Create a simple word or text document on your computer, choose a name for the document that would normally not be interesting to someone who was searching for a password like, FinalEssayOntheMigrationofBirds.doc or VehicleRepairTips.txt.
Next, fill it in so it looks something like this!
OnlineStore1 User3251 Y78
SuperBank 2729303 8n!
OnlineStore2 HappyMe123 Ii4
Your first row is the purpose or website for the account, if you feel really daring you can even create a link from this name to the website where you use it. The second row is your user account or ID for that website. And the last is a set of numbers, letters, or symbols you would either append to the end of your "known" password or place in front of your "known" password.
A "known" password is a simple word that is easy to remember for you and anyone you share the list with, for example November or Snowstorm might be common shared passwords. You'll never write or type this one anywhere; it should only be known by the people who share it.
For example, let's take the information I entered above, OnlineStore1 User3251 Y78. If I was going to login to OnlineStore1, and I used the account User3251, my password would be NovemberY78.
Hope this helps keep some passwords secure this shopping season!
Jacob Harris is a Vulnerability and Forensics analyst at Westfield Insurance. Sharing Knowledge. Building Trust.
I couldn't disagree more with this suggestion. With the sophistication of t0odays hackers and ID theives this would be solved in no time at all. The idea of a password list alone is a bad idea, then to store it on the PC is just inviting trouble. As an information security trainer NEVER would I recommend this. My suggestion is just the opposite, no list on a PC and if you have a list, store it someplace very secure. Many people have minimal security protection on their PC's
Posted by: Robert Yanus | 29 November 2010 at 13:21
Great advice! Now I won't dread changing my password as I will have a "plan". Thanks!
Posted by: Diane Booth | 29 November 2010 at 13:29
Robert
Thank you for your comment. You bring up a really good point - many people do not have the best security installed on their PCs. We have written about this on the blog before, and I think this is a good topic for us to revisit soon. Can you share your thoughts on how to have secure passwords without a list? I know many people who use the same password on every website so they can remember it, which isn't good either. I think your thoughts will be helpful to our readers.
Thanks again!
Posted by: Jacob Harris | 01 December 2010 at 13:20
Hi Jacob! Are you related to Jake Harris from “Deadliest Catch”? Ok, so much for humor – a few thoughts…
1. I think it is awesome that your employer is allowing your IT Security / Risk Management function to publicly blog.
2. Regarding your password list recommendation, what you have suggested could be practical for consumers depending on other security controls that prevent direct / in-direct access to the password list.
a. We also have to keep in mind the capabilities of the “bad guys”. The approach you have outlined will probably stop an opportunistic script-kiddie or lesser skilled attacker (assuming they can get access to the file in the first place). This approach will not prevent higher skilled “bad guys” from being able to programmatically perform password guessing and just appending or pre-pending the values from the list to each guess.
b. To further build upon what you have suggested, I would submit that the “known” (not on the list) password needs to be complex as this would significantly strengthen resistance from password guessing attacks – should the list be compromised.
c. Ensure that OS patching and malware updates are regularly performed. These controls contribute to reducing the frequency of indirect access to the password list by bad guys or malware.
Of course – there even additional steps we can take, but at the end of the day – and if we take a risk based approach to security – it comes down to layers of security that are hopefully low cost, practical, and addresses the majority of the bad scenarios.
Posted by: Risktical | 12 December 2010 at 07:31
I would suggest an application created just for this problem. Stores all your passwords encrypted with a master password for access. http://keepass.info/ or http://agilewebsolutions.com/onepassword
Posted by: Jon Bettinger | 13 December 2010 at 15:29
For those that use Outlook for e-mail, i have ended up saving all my log-in/password information in "notes" in Outlook. It keeps them in alphabtical order and is very convenient... But now i wonder if there are security concerns with this?
Posted by: Darrick | 16 December 2010 at 17:10