How to Safeguard Your Passwords


NEW YORK (MainStreet) – Pop quiz: How many computer passwords have you had to enter today?

Perhaps you entered one when you turned on your personal computer at home this morning. If you use a computer at work, chances are you needed to log in there, too. If you checked your personal email, that’s another password. Did you sign into Facebook or do online banking? More passwords still. And that’s to say nothing of the various logins you have for online retailers and news sites that require a free or paid membership.

Living in the digital era is a bit like being a school janitor, with dozens of keys for various classrooms and offices clipped to your belt. And just like a fat collection of keys, it can be hard to keep them all straight.

“Let’s be honest: remembering passwords doesn’t scale,” says Graham Cluley, senior technology consultant at network security firm Sophos. “You might be able to remember three or four, but these days we have scores and scores of accounts.”

Of course, you could just use the same password for every account, or choose passwords that are easy to remember. A study conducted in December by network security firm Check Point Software found that 26% of consumers reused passwords for important accounts such as email and online banking, and 79% admitted risky password construction practices such as using dictionary words or personal information. With consumers forced to remember so many different passwords and login combinations, it’s not surprising so many users have opted for convenience over security.

But if the perils of such practices weren’t clear before, events from the past year should give consumers pause. Security breaches at various companies have revealed that many businesses do a poor job of protecting customers’ personal information, including email addresses and passwords. And if you’ve repeated those passwords, all your accounts could be at risk. When earlier this month hacker group Lulz Security released a list of more than 60,000 email and password combinations it had stolen from an unknown organization, the group’s Twitter followers reported back that they’d used the same combinations to access some users’ Facebook, PayPal and Amazon accounts. The lesson is this: If you use the same email address and password for 12 different sites, all it takes is a security breach at one of them to give hackers access to the other 11.

If you want to keep your personal and financial information secure, you should have a different, difficult-to-guess password for every one of your accounts. But how do you remember them all?

The tried-and-true method is to simply write them down in a notepad or on Post-it notes on your monitor; a hacker will only be able to access them if he or she actually breaks into your house, which isn’t likely. Still, there are downsides to this approach.

“If [the list] is on your desk and you do get a burglar, they may well grab the list of passwords,” Cluley says. “They might recognize that computer theft is more valuable if they can steal your passwords.” He also notes that you’ll need to carry the list with you when you travel or go to work, which can also end badly if you lose it in transit.

Storing the passwords in a file on your computer can be just as perilous, and in some cases more so, as a hacker who gains access to your computer can find the file with little effort.

“Don’t under any circumstances keep it in a regular plain text file,” says Claus Villumsen, chief technology officer for security firm BullGuard. He adds that the same goes for storing your passwords in your Outlook contacts or any other email account, and Cluley further notes that getting your browser to store your passwords is similarly unsecure. It might be convenient to have all of your passwords written down in one place, but it can be a gold mine to a hacker who discovers it.

Fortunately, a number of services have popped up in recent years that allow users to store their passwords safely. Such services include RoboForm and LastPass, both of which integrate with your Web browsers to store your passwords for each of your accounts. The services, which have free and paid versions, store your passwords encrypted on their servers so you can access your accounts no matter what computer you’re using. Once you have your passwords stored, you need to remember only one master password to access all of your other passwords.

LastPass is particularly popular due to its extensive free version and its ability to automatically generate random, secure passwords when you create a new account or want to change one of your old passwords. But it got some bad publicity when it announced last month that a possible breach of its systems may have compromised some users’ security.

The good news is that the passwords stored by LastPass are encrypted, which means they’re extremely difficult if not impossible to crack. “The kind of encryption used by password management companies is strong enough that it would take someone a thousand years to crack into it,” Cluley says.

The company did say that user emails may have also been leaked as part of the breach, which could potentially allow hackers to access the accounts if they were able to guess the master password. It accordingly advised some users to change their master passwords, and LastPass was lauded for its fast response and overly paranoid approach to its users’ security. That’s in contrast to companies such as Sony, which was criticized for its slow response to an April data breach and failing to encrypt its users’ personal information in the first place.

Still, at a time when the world’s largest companies have become targets for hackers, the incident raises a conundrum: Do you really want the passwords for your most sensitive accounts stored on someone else’s servers?

For users who would rather store their passwords on their own computers there’s KeePass, which encrypts your passwords but stores them locally rather than in the cloud. The program, which is free, also integrates with your browser and can generate random passwords for your various accounts. Your passwords can be stored on a USB memory stick if you need to transport them, and the strong encryption and master password requirement means you have nothing to worry about if you lose it.

Provided you use best practices when choosing your master password, the only potential concern with this type of password manager is that a hacker could discover your master password by installing a keylogger on your machine. A type of spy software that records everything you type, keyloggers can be installed when users click links on phishing emails. As such, a password manager (whether a local storage model such as KeePass or 1Password, or a cloud-based system such as LastPass or Roboform) is most effective if used in conjunction with a strong, frequently updated antivirus software.

At the end of the day, which password manager you choose comes down to which you find most intuitive and easy to use. As long as your passwords are randomly generated, the master password is difficult to crack, your home computer is free of spying software and you’re smart about not clicking on strange links, each will provide loads more password security than a sticky note on your monitor.

—For the best rates on loans, bank accounts and credit cards, enter your ZIP code at

Show Comments

Back to Top