A couple weeks back, Guitar Hero asked me how secure my email was. How often I’d changed my passwords and if I had backed up my mail. As I blogged about on Friday, I’d recently switched from reading my email online via Gmail to downloading it using Outlook Express. So I could assure him that I did have a backup of it (which reminds me, I should back it up again.) But I hadn’t changed my passwords recently. Something I’m normally fairly anal about.

A week later, (and my passwords still hadn’t been changed) I read on one of my loops that a fellow author’s email had been hijacked. The author was alerted by a friend and within a matter of hours had regained control (I’m not sure how) but it was long enough that whoever did it still had time to delete everything in the account including her first contact emails from her agent or editor. I’ve heard of similar things happening to blogs and how years of posts have disappeared.

Yesterday I got an email from gmail (love saying that one!) asking for a verification for one of my accounts to be forwarded to an account that doesn’t belong to me. Yikes. It’s probably the result of a typo as someone typed in a similar name. Hopefully. Luckily enough it was an old account, but it had some important treasured data on it – reviews of some of the first stories I’d put “out there.” It also had email addresses of people that I didn’t want to make equally vulnerable. And worse, it linked to my current account.

Obviously I didn’t hit “confirm”. But it left me rather paranoid.

I have two systems – a PC and a Mac. Since Macs tend to be less vulnerable to hackers, and since I’d worried about a possible keystroke catcher slipping by my virus checker, I switched over to the Mac and changed all my passwords just to be on the safe side.

I used to work with a major Canadian bank who insisted we change our passwords every 30 days and you weren’t allowed to repeat them within so many months. Trouble with passwords is you have to choose something you’ll remember. I know people who chose passwords like “June” if it was June, then when July came they’d switch it to July thereby avoiding the repetition issue. I know one person who even chose the obvious “Password1” or “Password2” and so on. Some people would choose their child’s name and combine it with a birth day or birth year, for instance, if you had a son named Steve who was born in 1993, you might choose Steve93.

Trouble is, all those are easily guessed even if it’s encrypted. First off hackers have programs that have every single word in the dictionary entered so if they do have a keystroke capturing program, they simply compare your encrypted data to their file and up comes “June”. What about Steve93 you ask? Well, if you have a blog, people can follow along and with a little homework can discover a treasure trove of information about the account owner. With a little time and effort, they’d garner your birthday, your kids’ names, your spouse’s name, anniversaries, where you live, etc. If you own a website and haven’t taken the privacy protection a lot of providers offer, you can do a whois on a website and discover the domain owner’s address and even phone number. Using that information, it’s then a matter of simply plugging in the variables. (Anyone remember watching War Games where a very young Matthew Broderick had written a program for his computer to do that? And that was back in the 80s – password crackers are infinitely better these days.) It’s scary stuff.

I almost deleted this post because I worried that perhaps now hackers might target my accounts. As I said, I’m paranoid, but I think this is one issue where everyone should be slightly paranoid.

When I worked as a tech support analyst on a help desk, I couldn’t believe the number of people who ran their computers without anti-virus software. Who didn’t have firewalls, or update their computer software regularly. And then they’d phone us wondering why their computer wouldn’t work, or their ISP had banned them for spamming people.

Keep your software up to date – the developers *cough*Microsoft*cough* are constantly finding holes in their designs that allow hackers in, and those updates are often patches to close those holes after the fact.

Make sure your anti-virus software is kept up to date. Install and maintain your anti-virus software, and better yet software that scans for spyware and prevents bot programs from installing that virus checkers miss. Ad-aware, Spybot, there are several out there that are cheap if not free, easy to use and are still quite effective.

If you have a router in your home, turn on its security – enable its WEP, WPA or WPA2 – it’s not hard to do. This will prevent other people from “wardriving” where they drive around your neighborhood and find an available wi-fi signal and use your bandwidth to download whatever they heck they want, or even hack into your computers.

And most important, change your passwords regularly, especially if you have a laptop and used someone else’s wi-fi recently – whether it’s when you pop into your local Starbucks or are hanging around at the airport or hotel. What some people do is change it before they leave and then change it again when they get back.

  • Don’t use words found in the dictionary.
  • Don’t use your phone number or street address, your birthday or your anniversary. They’re too easily guessed.
  • Keep your passwords longer than 6 characters, preferably 8 or even 10 characters long.
  • Use a mix of capitals, lower case, numbers and special characters like * or %. Yeah, they’re a pain in the butt to remember, especially with the number of passwords we have to have these days. But they’re much harder to crack that way.
  • Some articles I’ve read recommend using a mnemonic phrase that only you would know or remember. “I was married in Peterborough Ontario 31 years ago” Would create a password of IwmiPO31ya. That’s a strong password because it’s got a combination of upper and lower case letters as well as numbers. To make it stronger I could have added a * somewhere in there.

I just went through and counted my passwords – I have 62 separate passwords and I know I’m missing a couple in that list. And that’s not including my laptop and desktop power on passwords, nor my ATM number; it doesn’t include the code to my garage door opener, nor my ISP login information. (Heaven help my family if something ever happens to me and they have to get into my computer.)

They say don’t write down your passwords. Guess what. With over 62 passwords to keep track of, I have to write them down. But I don’t keep it online, I haven’t made a Word doc called “Passwords” (Yes, I know someone who has done that.) Nor do I keep them on a PDA or cell phone that could get stolen or lost. I keep a tiny address book where I enter the password and other info as if it were a friend’s address. And I don’t carry it with me. Ever. Yes, the address book could get stolen, but if they’re in my house, in my office and able to steal it, I’ve got bigger problems than just stolen passwords as annoying and aggravating as that would be.

Oh, and another tip? You know some of those Twitter and Facebook ‘games’ that offer to come up with a pseudonym or ‘Porn name’ by asking you to input the name of your first pet along with your mother’s maiden name? Guess what? They’re gathering information as those are often your safety questions for when you forget your password. Don’t play.

(Articles you may want to read if you want to know more: PC 911 or “Creating a Strong Password” by Microsoft.)

Personal Protection of a different sort
Tagged on:     

One thought on “Personal Protection of a different sort

  • June 9, 2009 at 1:03 pm

    A very timely post, Leah. I know I don't change my passwords nearly enough. As you say it's difficult to remember a lot of passwords without writing them down!

Comments are closed.