It was when I had to click my third "I forgot my password" link in as many days that I realized I need a Password Strategy.
Until then I had been scraping by with a battle plan inspired, perhaps, by Custer. I used my ATM password, family names and birth dates, and my e-mail address in varying combinations that I tried, but apparently failed, to keep uncomplicated.
As safety plans go, this scattershot system was more ADD, the disorder, than ADT, the security services company. Worse than that, it was seriously jeopardizing my personal information. What kind of idiot offers up the same password that protects his online bank accounts to some cyber-retailer he's visiting one time to buy a discount memory card?
This kind of idiot -- the kind who needs a Password Strategy, which means, ultimately, picking some password-management software and letting it strengthen your passwords, and do the dirty work of remembering the new, complicated ones it has come up with. All you have to do is remember the one password that gets you into the password manager.
Having a Password Strategy used to mean you were a contestant on Allen Ludden's game show. Your strategy was to voice meaningful clues in a portentous tone, then raise your eyebrows at your partner expectantly.
Then came ATM cards. Dial-in voice mail. Telephone banking. Their little codes seemed a pain at the time, but what an idyll it looks like from today's perspective.
If you're even a little bit digitally inclined, you've got password-protected accounts for at least some of the following: Amazon, eBay, your bank's Web site, BestBuy.com. the Bloglines RSS reader.
You've got passwords for accessing your office e-mail from home and your home e-mail from the office, your credit card companies, mortgage company and home equity company. And I could name a dozen more.
All of these services make life more convenient -- except for the potential Achilles' heel of security and the definite Achilles' heel of password management.
So what to do?
First, get your home wireless network under strong security, with one of those ridiculously long letter-number keys. If you haven't done that yet -- if you're one of the people whose network anyone in the neighborhood can access -- fix it immediately. Small bother, big benefit.
Don't try to compensate for your security hodgepodge by keeping track of your sundry passwords in a Microsoft Word file labeled -- drum roll, please -- "passwords." When I mentioned that I do this to William Yerazumis, an expert on e-mail security, he said, in exactly these words, "Slap, slap, slap, slap. Just mail 'em out. Save some time."
Most important is to make stronger passwords. Instead of what PC Magazine identifies as the 10 most common (and easily hackable) online passwords -- including "letmein," "abc123" and "qwerty" -- a strong password mixes words and numbers in unlikely combinations.
A strong password is also a long password. Writes computer expert John Pozadzides, in a blog posting (onemansblog.com) titled "How I'd Hack Your Weak Password," "Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase and special characters -- such as @#$%(circumflex)&(ASTERISK)). Adding just one capital letter and one asterisk would change the processing time for (a computer program to hack) an 8 character password from 2.4 days to 2.1 centuries."
That's assuming, he adds, that you don't use any common words in the password.
"Probably the safest thing to do is go to a password generator site and have the site generate a password for you," says Erik Rhys, a senior editor at PC Magazine. (Google "password generator.")
Do this right away for your most valuable sites, including banks, credit cards, PayPal and, don't forget, e-mail. The e-mail account often can lead people back into your other accounts, especially if you're prone to click "I forgot my password."
To manage your new, non-repeating, complex passwords, you'll need to trust the computer. Some password-management programs have been around for years, with solid security records.
I'm planning to play around with three, each of which would require me to remember only one password to access all my others. The most attractive is PassPack, because it resides online. I wouldn't have to load software on every computer I use or lug around a USB drive containing password data.
Another manager that seems worth checking out is RoboForm, software that not only handles your passwords but generates them for you and safely, securely, fills in online forms. It costs $30 for full functionality.
And then there's KeePass, a free software tool that seems to be highly regarded for password management.
Any of these has got to be better than "passwords.doc."
Comments