Virtually every web site that has a “profile” of sorts requires a password as some form of authorization. For most internet users, the password has become a necessary evil. However, poor or duplicated passwords can be broken or stolen—how can a user safeguard against such things?

There are a few simple rules for choosing passwords:

  1. A password should be difficult to guess.

Gone are the days when an anniversary date or a birthday sufficed for protection. Passwords should be at minimum six characters, preferably longer. A mixture of upper and lower case is essential, as well as a special character or two.

Of course, these qualities make for a difficult to remember password as well. I suggest using a cryptographically strong method of securing your passwords such as Bruce Schneier’s Password Safe, a freely downloadable, open-source utility for Windows XP. The program allows for storage of many passwords, protected by a single master password.

This is similar in function to the keyring available on Mac OS X, but not quite as well integrated into the OS. With the aid of technology, you can make life much more difficult for the would-be cracker.

Never duplicate passwords between sites.

This is a tough one to follow if you rely on memory. However, it poses a great danger. For example, suppose you fall victim to a phishing scam, in which you are fooled into entering login information to a rouge web site. If your passwords are all the same, you’ve just unwittingly given access to all your online information to some malicious cracker.

With multiple passwords, you are limiting your liability. After all, you don’t share your bank account’s PIN with your telephone company—why should the accounts share the same secret?

Circumvent password reminder features.

Many online login services require you to choose a so-called “secret question” and answer in order to retrieve your password. This is probably the most unsecure thing possible. The common options (place of birth, pet’s name, mother’s maiden name) are all over various public records.

Do not use this feature. Choose a random question and fill the answer field with unguessable gibberish. Worst-case scenario, you’ll need to interact with technical support if you truly forget the password.

Choose a security level appropriate for what you are protecting.

A password for Slashdot or another forum is clearly not as important as one protecting online access to your credit card. Low-security passwords are expected for mundane things like forums, newspapers that require registration, etc.

Bonus Tip: Many web site that require registration for registration’s sake can still be used via BugMeNot. BugMeNot is a repository of disposable logins for various web sites. If you visit a page and don’t want to bother disclosing information, visit BugMeNot and search for the URL—it’s probably in there.

Never use public terminals to view or transmit sensitive information.

Suppose you are on a business trip attending a large convention. A presentation has just triggered a flash of insight on a very important client, and you walk downstairs to the hotel’s business office to send an e-mail. Days later, your company loses the client to a rival firm. What happened?

From your perspective, nothing. However, it’s very easy to compromise public hardware, and by doing so, obtain secret information. Hardware keyloggers exist that can be plugged between a keyboard and the back of a computer. The device is capable of capturing 64,000 keystrokes and playing them back. E-mails, passwords, URLs are all entered via keyboard. Bear this in mind the next time you check your bank account balance from a public terminal.

I’ve presented a few tips for the security-conscious; additional suggestions welcomed!