I tried to remember all my user names and passwords until it got totally unmanageable. Now I use long mangeled passwords for most sites, keeping the username/passwords in an encrypted file on a usb stick. Now I just have to remember the pass phrase for the file, and unencrypt the file when I'm working, and and destroy the uncrypted file when I'm done. I keep the encrypted file in my regular backups in case I lose my usb stick. I'm sure that there are hundreds of ways to do what I'm doing, if my system doesn't suit. Now I don't have my dog's name as a password unless my dog is named 7Uye$nn297Tt.

Ken Owen
www.eowen.com

This morning's Suggested Reading:

Corporate bank accounts targeted in online fraud

Until we have effective Computer Security it is un-wise to conduct commercial business over the net. As the Net is becomming de rigueur as a business tool it may become necessary to enact government regulations mandating security. none of us want that. so let's clean up the mess ourselves. Correct the thinking for over-the-air or over-the-net program updates from "anything goes" (Cowboy Programming) to require all program updates to be authenticated using a digital trust model and digital certificates

Today we often see a pop-up message like: "This website wants to install (...)"

The next thing we should see is a UAC dialog indicating whether the proposed update can be authenticated.  Is it what is says it is?  Has it been tampered with? Is it really from the source that claims to have sent it?

all of these questions can be answered using the digital certificates in a Trust Model -- and the required processing should be an automatic function of UAC

Due Date: NLT Win7/SP2

There's a time and a place for everything. But if you are going to use a computer for commercial business -- either at home or at work -- Cowboy Programming cannot be tolerated. Perhaps you might use a Virtual Machine to experiment with -- if you are into that.

Sadly enough this is true.  And more people need to be aware of (and understand to some degree) this fact.  It should be part of public school or high-school curriculums.

TSA: ="Let's face it - malware is everywhere and using a locked-down systems, as Michael mentions in the previous comment, is simply not practical for every-day use. "

Let's face it: if your computer is infected you don't have security. you don't even know what your computer is doing.

it's like I cut the shaft that connects your steering wheel to your steering mechanism.  You can turn the wheel -- but it no longer controls your car...

so it is with malware

malware can

• see your screen (even hidden fields )
• type on your keyboard (enter keystrokes as though they were typed)

What this means: Until malware is stopped computers should not be used to conduct business over the web.

Authentication is the key to stopping malware. Malware is basically just un-authorized programming.

In order to stop malware all software updates must be authenticated.

and if you think this is going to inhibit your your use of your computer, think again: it will only deny the use of your computer to the attackers -- which will leave the use of your computer to you.  As it should be.

UAC is a huge step in the right direction.  All they need to add is an automatic trust model so that UAC can authenticate updates and present the result of that to the user when it throws a dialog.

Good tips on password management, Tom. Using pass phrases instead of passwords is also something I utilise to keep easy to remember passes. 

However, I think the use of passwords alone as a challenge-response auth system is too outdated for today's security requirements. Let's face it - malware is everywhere and using a locked-down systems, as Michael mentions in the previous comment, is simply not practical for every-day use. 

Multiple-factor authentication may be the answer. It doesn't have to be biometrics or tokens - simple techniques such as use of graphical symbols helps! Simplicity is the key after all. 

So many web sites fail to truly support password security.  They have nice little messages saying that you should create a secure password but them they don't enforce anything more than basic rules like a minimum number of characters.  More importantly - they do not enforce regular password changes.

If you want to talk real security their should be rules (PCI - Payment Credit card industry would be a great place to start) that required any site that stores credit card data to require password changes at least every 6 months.

I appreciate the few websites that enforce password changes - I momentarily curse them - but after the few seconds of work - I truly appreciate their real efforts to endorse good security.

Michael,

I agree there are a number of good password management solutions available that can greatly assist you with your day to day activities. However, the first point I am trying to accomplish is to get individuals to at least change their passwords twice a year. The second point is that regardless of whether you take advantage of a password management system, it does not mean you should not change your personal passwords on a scheduled basis.

As having a malware-free computer. You can have the best passwords in the world and if crimeware like Zeus or URLZone are installed on your computer you are in deep trouble. They both start after the user has logged into the financial portal.

Experts are recommending only using a known malware-free computer with a Linux OS, iPhone, or LiveCD (Linux-based) to do any on-line transactions.

On another note, why not use one of the many open-source password safes to manage passwords. I use Password Safe. It portable as well, so it works on any computer.

look up commonly used passwords (google)

if you use one of the common passwords an attacker can break in within a few hundred tries, likley at most

so you want to make the password odd enough that it isn't found on the common passwords list and you will force the attacker into brute force mode

which will likely not be used

instead arttacker will plant a keyboard logger on your machine and let you tell him what your password is. that way his botware can proceed on automatic

note that if you have a 3 strikes and out policy: 3 successive invalid passwords and the account is disabled the odds of an attacker hacking a decent password go astronomically off scale

users will persist in using common use passwords unless you put a stop to it

so it is not nearly so critical to change passwords all the time as it is to avoid common use passwords and keep malware out

if we would implement SINGLE LOGON users would be MUCH MORE COOPERATIVE

Single Logon: you give your user id and password ONCE: when you open your Desk-top.  After that each launch ICON uses a RUN AS to change the USER ID -- and hence the permissions -- creating effective security and single logon in 1 move.  why does Microsoft ignore us all the time

like Johnny Cash said in his shoe-shine song: This world needS a lot more shining and a lot less poppin!