Password Protection

Can you remember all the user names and passwords that you've used at every Web site where you've ever registered?

I'll bet you can't. But it's no shame not to remember all these things off the top of your head. No one can.

That's why people write their passwords on Post-It notes and stick them on their monitors. And it's why Web browsers such as Internet Explorer and Firefox offer to "help you" remember your passwords - which means that anyone who borrows or steals your computer can log on and impersonate you at any of the "memorized" sites.

Internet Explorer. Microsoft's browser, known affectionately as IE, years ago began offering an "AutoComplete" function. This feature offers to remember IDs and passwords that you type on your keyboard. IE stores them in an encrypted file. In theory, those passwords are made available only when the person who stored them is logged on to Windows under his or her own account name (such as Brian123 or whatever).

The problem with this is not just that anyone can walk up to your PC in your absence, look through IE's history, and then log on as you at any password-protected site. Much worse is the fact that, even if you've logged off your Windows account, anyone can run a simple utility and read IE's "encryption-protected" file to discover your passwords.

Mozilla Firefox. The new, free Firefox browser, developed by the not-for-profit Mozilla Foundation, also offers to store user names and passwords that you enter at Web sites you visit. To its credit, Firefox 1.0 can store this sensitive data in an encrypted form that we don't believe has been compromised.

Unfortunately, Firefox doesn't encrypt your saved passwords by default but leaves them wide open. You can only have your passwords encrypted if you take steps to set a "master" password. (To do this in Firefox 1.0, click Tools, Options, Privacy, Set Master Password.) Before Firefox will then provide your passwords to a Web site or anyone else, the master password must be entered.

If you use a USB drive to store your passwords in a secure manner, you can make your browser stop storing passwords on your hard disk. To do this in Firefox, click Tools, Options, Privacy and turn off "Remember Passwords." In IE, it's Tools, Internet Options, Content, AutoComplete and turn off "Use AutoComplete for user names and passwords on forms."

In a corporate environment, you can use Group Policy to prevent browsers from storing login passwords. To do this for IE, set Active Directory to "Disable AutoComplete for forms" and "Do not allow AutoComplete to save passwords."

Never share your password with anyone, not even a relative or colleague. If another person has your password, they can, for all computer purposes, be you. This extends far beyond simply reading your email. In world, this would include sending email as you, gaining access to sensitive financial or health information, and changing where your paycheck goes, and is considered a serious policy violation. But it's just not a smart thing to do anywhere.

It's very important to use different passwords for different systems. This limits the damage a malicious person can do should a password fall into the wrong hands. Everyone understands that it's nearly impossible to memorize a different strong passwords for each service you need to log in to. It's a good idea to have a set of four or five very strong passwords that you use on different systems.

Do everything you can to memorize your passwords, but if, for some reason, you absolutely must write down a password, always keep the note with you or in a locked file, and do not write down the corresponding ID.

Fortunately, the plunging cost of memory has given rise to a possible solution to the password-recall problem: store your user names and passwords on a removable USB Flash drive. You protect the device with a single, "master" password. All you have to do is remember that one code to access all the passwords you've stored.

Use strong passwords everywhere.

No matter how many walls are placed around your machine, there is always a key for complete access: your password. There are countless programs that attempt to determine passwords, both by guessing common ones and by randomly generating possibilities and trying them all, or a combination of the two.

The best defense is a "strong password". A strong password is a combination of numbers, uppercase letters, lowercase letters, and, if possible, other characters. This makes the password nearly impossible to guess in a reasonable amount of time, and ensures that all the hard work you put into keeping your machine well-defended does not go to waste. The longer the password, the harder it is to guess.

Of course, as passwords get closer to random numbers and letters, they also get harder to remember. That doesn't mean that you have to fall back on a weaker password, though. You can use "m15peLL", "w0Rdz" intentionally, or use a mnemonic device like a strong pass phrase. Be sure to read the Microsoft article below for some very useful advice on this subject.

Always be sure to change your password if you think that there's a chance that someone else has seen it.

Microsoft's Guide to Creating Stronger Passwords