Article
Identity theft was the most commonly reported complaint to the Federal Trade Commission in 2004, up 15% from 247,000 complaints in 2003. The problem has intensified because of the speed...
Identity theft was the most commonly reported complaint to the Federal Trade Commission in 2004, up 15% from 247,000 complaints in 2003. The problem has intensified because of the speed and availability of information on the Internet; however, as we need to remember more usernames and passwords to access various accounts, we are becoming increasingly less careful when choosing our user name—password combinations.
Identity thieves are primarily after one thing: your passwords. Once the culprits collect your passwords, they can gain access to your accounts, steal your identity, and use the information for personal benefit. “Phishing” and “password hacking” are two popular identity theft practices. Phishing is a widespread form of Internet piracy wherein practitioners “fish” for your personal financial information—account numbers, Social Security number, passwords, etc—by “masquerading as a trustworthy person or business in an apparently official electronic communication, such as an e-mail.” Thieves use this confidential information to run up bills on your credit or debit cards, take out loans, or even obtain a driver’s license in your name. Typically, a phishing e-mail appears to come from a reputable company that you recognize and may do business with, such as your bank, PayPal, or eBay. The e-mail will warn you of a problem that requires you to take immediate action to update or confirm your personal account information. The e-mail will instruct you to follow a link to the institution’s website. The website will actually be phony, but will look like the real thing. If you provide personal financial information, you may become a victim of identity theft.
Password hacking commonly occurs by guessing people’s passwords based on personal information, or through the use of password hacking software. Password hacking can be avoided with minimal effort. This article examines some of the best and worst password practices and gives you simple, easy-to-follow ideas on how you can improve the security of your digital identities.
Passwords: Highly Important, Yet Ill-Protected
With the coming of the digital age and the need for instant access to information, passwords are absolutely essential to restrict access by non-valid users. We must enter passwords every time we logon to our computer, start an application, open our e-mail, or conduct any type of business on our computers. Our list of passwords continually grows and never seems to stop expanding. Instead of remembering one password, as was needed in ancient times, it’s now common for a typical computer user to remember 20 to 30 different passwords, or more.
As more passwords are required, they become more difficult to manage; as a result, we take short cuts with our passwords and compromise the security of our personal information and digital identities.
What We Typically Do Now
Many of us choose a simple word that is easy to remember, such as our:
• Name or initials• Child’s name• Pet’s name• Favorite sports team
Although this is a common practice for many of us, it should be avoided. Hackers can guess these passwords if they know some basic personal information about us or are armed with the most simplistic password hacking programs.
Maybe you are smart enough to avoid this practice, but you may have adopted some others that are putting you at risk for identity theft. Review the information on the next page to find out if you are putting your identity at risk with poor password management practices.
Of course, there’s no substitute for remembering every combination username and password, but when you find that this becomes overwhelming, instead of lowering your password management standards, you can invest in a secure password management tool.
GOOD PASSWORD MANAGEMENT PRACTICES
Good password management practices will help you optimize the security of your personal information online. Perhaps the single most important thing to remember when creating a new password is to make the password hard to guess, but easy to remember. While it may seem easier said than done, using the following guidelines will help you to start using passwords that are more secure than those you are using now.
Make your existing passwords more secure. There are several techniques you can employ to make your existing passwords more difficult for hackers to crack. You can:
• Use the first letter from every word in your favorite expression, or line in a story, poem, or movie.
• Choose a word as your password, but then substitute similar-looking numbers for letters in your passwords.
(eg, “Football” is “F00t8a77,” or “sneakers” is “5n3ak3r5.”) These numbers could be substituted for letters:
O I Z E H S G L B
0 1 2 3 4 5 6 7 8
• Choose a password that you want to use and then come up with a keystroke mapping system.
(eg, use an “upper-left” keystroke system by using the letter to the upper-left of the actual key you wanted. For “football,” your keystroke password would be “r995gqoo.”
Use a combination of letters and numbers that cannot be found in a dictionary. A combination of 6-8 capital and lower case letters, numbers, and symbols will work best.
Change your password regularly—once every three months at a minimum. Always log off and close your browser when you have finished visiting a site.
Identity thieves are primarily after one thing... your p***words.PASSWORD MANAGEMENT PRACTICES TO AVOID
Don’t use dictionary words, proper nouns, foreign words, or backwards words.Don’t share your password with anyone!Don’t write your password on a Post-it and stick it on your monitor or any other easily accessible location.Don’t save your password as part of an automatic login script. Don’t rely on Internet Explorer’s AutoComplete function.Don’t allow a website to store your password. Passwords saved in these programs are not secure and hackers are increasingly gaining access to servers where your passwords are stored.
Don’t use personal information in your passwords (eg, your name, child’s name, occupation, telephone number, etc.)
Don’t keep a record or list of your passwords in an unencrypted file on your computer, where it is susceptible to hacking.
Don’t choose or change your passwords on a public computer or in a public place (eg, an Internet cafe).
Don’t use the same password on multiple accounts.
Don’t use some of the most commonly used passwords, (eg, “password,” “qwerty,” “1111,” and “admin.”).
Summary
In today’s world, we need a password or PIN everywhere. Let’s be honest: remembering our passwords can be annoying and somewhat overwhelming. So instead of keeping up our good password management practices, we tend to be a little less secure so that we can remember our passwords. We do this knowing that we are increasing our risk of exposure, but the alternative can be downright intimidating. Remember: a small investment of your time today will help prevent theft and identity loss tomorrow.
Bill Carey is the Vice President of Marketing at Siber Systems, a software company based in Fairfax, VA, whose RoboForm software is a password management and form-filling tool.
Online Security Resource Center
KEY:
P — Specific Product;
FP — Freeware, Specific Product;
V — Vendor, sells multiple products;
A — News article or how-to;
U — Online tool/utility
INVASION PROTECTION
Direct attack by malicious programmers is likely the most potentially devastating threat to your online security. A well-prepared hacker can penetrate an undefended computer quickly and easily; from there, the invader can destroy or misappropriate information, plant viruses or spyware (see below), or do irreparable harm to your computer’s operating system. While the odds of a hacker specifically targeting your computer system are long, the potential for massive and lasting damage is sufficient to make defensive measures—such as up-to-date firewalls and similar systems—a prudent choice.
P - Norton Internet Security 2006
This software package, from one of the two (with McAfee) most recognizable names in the IT security business, bundles an antivirus application, a personal firewall, spam filtration, and a parental control program into one integrated solution. Widely considered the best in the business for broad protection against a wide range of threats, the software updates frequently enough to keep pace with enterprising hackers.
V, A, U - Panda Software
In 2005, PC World named Panda’s Platinum Internet Security, another integrated safety system, the top integrated solution in terms of spyware/adware detection and elimination, although the program (the full version sells for about $80) lags behind its competitors in other areas. Panda’s home site also sells more elaborate security systems for businesses, posts periodic articles on safety and security, and features a free utility designed to test the weaknesses in your computer.
P - PC-Cillin
Another security system to incorporate antivirus and firewall technologies, spam filtration, and adware removal, PC-Cillin is slightly more expensive than, but very similar to, its better-known competitors. C-NET, ZD Net, and PC World have named this product among the best of its kind, so users who find that Norton or Platinum fails to meet their needs should definitely take a look.
PASSWORD MANAGEMENT
Effective use of passwords can keep sensitive information secure, both from online invaders and from curious patients who might wander by an office computer. Choosing, remembering, and appropriately utilizing passwords can be a more significant challenge than you might expect; the resources and applications profiled here are designed to help.
This outstanding password management program functions differently from most programs of its kind. The program stores all of the passwords for a given set of applications, but does not require user intervention each time a password is required. Instead, the user simply signs on once, with a master password; sign-on to all applications is automated from that point. Allowing for quicker and more convenient navigation, OneSign is primarily targeted toward small business and enterprise solutions.
P - KeyPass
Key Pass is a straightforward password management application that automatically enters passwords with the press of a hotkey. It distinguishes itself by utilizing encryption technology to ensure complete security. The program does not store any information in the Windows registry but rather in its own encrypted database; as a result, KeyPass can be stored on an external device and used on the go.
Password Manager remembers passwords for e-mail logins, shopping orders, banking, and other online activities and can manage multiple password databases for different members of the family. Because the product is produced by Symantec, the same company responsible for the Norton Internet Security Package profiled above, passwords are obviously stored under the strictest security.
PHISHING PROTECTION
Wikipedia defines “phishing” as an attempt to “fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as e-mail or an instant message.” Readers are advised to use these resources to learn more about phishing, how to prevent it, and how to recognize it when it occurs.
A, U - Anti-Phishing Work Group
This nonprofit organization’s home site includes a host of articles, with information on the basics of phishing, discussion of recent trends in electronic crime, and a good deal of advice for consumers (a tool to report phishing is also available). This site is probably the best starting point for any reader interested in learning more about this unfortunate practice.
A - The Field Guide to Phishing
This illustrated, colorful, and often humorous dissection of common—and sometimes clever—phishing schemes also provides advice on recognition and analysis of common features. Very highly recommended.
A - Online Identity Theft: Many Medicines, No Cure
This article discusses standard and emerging methods of curbing online identity theft.
SPYWARE REMOVAL
For our working definition of spyware, we turn once again to the Wikipedia: “malicious software designed to intercept or take partial control of a computer’s operation without the informed consent of that machine’s owner or legitimate user.” Such a program may actually track and monitor your online activities, subject you to pop-up ads, or even steal important information, such as credit card numbers and other personal information. Spyware is presently considered to be the pre-eminent threat for computers running under the Windows operating system.
This program could not be simpler, or more valuable. It scans your entire computer or system. It finds any known spyware (and detects variations on existing spyware). It then alerts you to these applications and allows you to delete them. The personal version of the program is free; more elaborate versions designed to scan small and medium business networks are available at a modest price.
A, U, FP - Microsoft Spyware Center
Tips on preventing spyware, a spyware quiz, and various articles make this a good educational resource on this subject; antispyware software from Microsoft, an interactive community, and a free security newsletter give it practical value as well.
FP - Spybot Search and Destroy
This user-friendly spyware detection software is also free of charge; we recommend running it in concert with Ad-Aware, in the hopes that one will catch what the other misses. ScanComplete makes it available here and features a variety of security-related freeware, making it definitely worth a look.
VIRUS PROTECTION
The most feared entities in the Internet security business are still the viruses, which can wreak enormous havoc on an epic scale. Comprehensive virus protection is an indispensable element of any effective online security strategy. Here, we offer specific antivirus software, as well as links to news and articles about viruses, in an effort to help keep you uninfected.
FP - AVG Antivirus (Free Edition)
Among the features of this free program: an on-demand scanner allowing the user to schedule tests or run them at will; an e-mail scanner; free virus database updates for the life of the product; and more.
This clear, concise, and entertaining overview of the virus phenomenon includes a detailed description of exactly how various types of viruses affect a computer, as well as how viruses spread. The subject is covered in surprising detail, with thorough analysis of several notorious viruses from the past. Effective hyperlinking among different parts of this article allow for quick navigation to topics of interest.
V - McAfee Antivirus
McAfee’s antivirus products include “Managed Virus Scan,” a solution for small and medium businesses in which the company’s experts update the product “24/7,” allowing real-time response to developing events. The company also sells its popular personal virus scan application through this site for $40.