Nov 13 2008

Do you share your password(s) freely?

I am mentioning the Twitterank rumor from this evening (yes, the one I helped perpetuate) for the sake of this post. It brought to light an issue and really made me think.

How often have you willingly handed over a username and password to a third party or application?

If I learned one thing, it’s this: be aware of when you’re giving out your password–especially your username and password together. I’m not saying don’t do it…I’m saying be aware and use good judgment. If you’re ever doubting the validity of an application, ask your social network. There’s a lot of knowledge out there.

It’s one thing to enter your information on FriendFeed, but quite another on a fly by night “fun application.”

Imagine if an application asked for your ATM PIN number. You’d question where your information was going, right?

Whether it’s every two weeks or two months, a new practice to implement – change your password(s) OR build a stronger password. Want to check the strength of your current password(s)? Use Password Checker. (NOTE: Password Checker does not store your password and is safe to use.)

As I was writing tips for creating a strong password, I came across this post from Microsoft.

Couldn’t have said it better myself:

Create a strong, memorable password in 6 steps

1. Think of a sentence that you can remember. This will be the basis of your strong password or pass phrase. Use a memorable sentence, such as “My son Aiden is three years old.”
2. Check if the computer or online system supports the pass phrase directly. If you can use a pass phrase (with spaces between characters) on your computer or online system, do so.
3. If the computer or online system does not support pass phrases, convert it to a password. Take the first letter of each word of the sentence that you’ve created to create a new, nonsensical word. Using the example above, you’d get: “msaityo”.
4. Add complexity by mixing uppercase and lowercase letters and numbers. It is valuable to use some letter swapping or misspellings as well. For instance, in the pass phrase above, consider misspelling Aiden’s name, or substituting the word “three” for the number 3. There are many possible substitutions, and the longer the sentence, the more complex your password can be. Your pass phrase might become “My SoN Ayd3N is 3 yeeRs old.” If the computer or online system will not support a pass phrase, use the same technique on the shorter password. This might yield a password like “MsAy3yo”.
5. Finally, substitute some special characters. You can use symbols that look like letters, combine words (remove spaces) and other ways to make the password more complex. Using these tricks, we create a pass phrase of “MySoN 8N i$ 3 yeeR$ old” or a password (using the first letter of each word) “M$8ni3y0″.

I know. It’s annoying to remember all of those crazy passwords. If you use FireFox, check out 16 of the Best Password Management Tools for FireFox 3. Or, for those who want to manage one password, look into OpenID or OAuth? (Thanks @fogfish)

This is a living post. I invite you to offer your advice and comments below.

22 Comments on this post

Trackbacks

  1. Twitterank - What it is and what it isn’t | Christopher Kusek, Technology Evangelist wrote:

    [...] Do you share your password(s) freely? [...]

    November 13th, 2008 at 2:33 am
  1. aliza sherman said:

    I posted recently about an easier algorithm – it is in groupings of 3’s which are easier for our human brains to remember. See # 5 on my list here for instructions. Hope this is helpful to the convo:

    http://workitmom.com/bloggers/entrepreneurmom/2008/09/27/5-things-you-need-to-know-about-social-media-for-business/

    November 13th, 2008 at 2:26 am
  2. Len Kendall said:

    I think this TwitterRank fiasco may have gotten out of hand because the twitter community has been conditioned to a degree to provide their password. There are countless 3rd party applications that ask for a password without thinking about it, a select few of us (I’m guilty too) jeopardized an account which took us quite a while to build up.

    I hope that no one’s account has bee corrupted yet. I haven’t heard anything about it yet.

    November 13th, 2008 at 2:31 am
  3. Kiel Holliday said:

    I agree, for usually I use a few phrases, just vary them up between sites, but often have firefox remembering them for me.

    November 13th, 2008 at 2:34 am
  4. Michael A said:

    As an Information Security certified professional, I can’t stress how important it is to properly manage your password. We say it should be “easy to remember but hard to guess”. Great Job Sarah in offering some great tips on password management. More insight into the (lack of) security of Twitter user account management at http://threatchaos.com/?p=303.

    November 13th, 2008 at 2:57 am
  5. Christian Zdebel said:

    I have occasionally fallen victim to applications “stealing focus” and ended up IM’ing my password to an unsuspecting recipient…doh!!!

    November 13th, 2008 at 3:06 am
  6. Christopher Kusek said:

    Also, as an Information Security Professional (certified 3rd party and NSA) It is important not only to manage your password as Michael A had to say, but also to manage your relationships and trusts.

    Twitter is a mechanism which many of us trust, and that is an implicit trust as it can be managed via SMS, as well as HTTP and a number of other ways.

    Freely giving up your password to a malicious party is difficult to ascertain as to “What is malicious and what isn’t.”

    In the case of Twitterank, we’re fortunate that his intentions are not malicious and his mechanism of operating is not intended to cause harm.

    This little scare was good, no harm, no foul – we all learn from it.

    So long, as at the end of the day – We do indeed learn from it. :)

    Twitterank – What it is and what it isn’t
    http://www.pkguild.com/2008/11/12/twitterank-what-it-is-and-what-it-isnt/

    November 13th, 2008 at 3:22 am
  7. Milos said:

    Nicely said! Two other important point to consider:

    - PW should be 14 character or longer (typical dictionary attack would take something like 1.4 millions years to crack running on a single machine)
    - Use a PW manager such as KeePass.

    Great and relevant post. I watched this develop on Twitter and when you said that you would write about it and look, you did! :-)

    November 13th, 2008 at 3:45 am
  8. Web Designing said:

    People usually uses passwords that they can’t forget and easy to remember, sometimes they may use same passwords for different logins. This may lead one day big issue. I wouldn’t recommended to have same password.

    November 13th, 2008 at 4:17 am
  9. Mat Morrison said:

    Have you considered the (old-but-simple) trick for creating memorable-but-unique site passwords?

    Use your core password (say “MsAy3yo”) for each site, but add the first and last letter of the site name to the password somehow. So – a Wordpress login might be wMsAy3yos or (by swapping the last and first letters) sMsAy3yow

    If you never vary the algorithm you use, you’ll have site specific passwords that you can always remember.

    Or we can just wait for OpenID, I suppose.

    November 13th, 2008 at 8:01 am
  10. Stuart Fsoter said:

    Actually, I just tend to change my password before I use programs like twitter ranker and then immediately change my password back. I then every few months change up my password just to keep myself honest.

    November 13th, 2008 at 1:26 pm
  11. Kate said:

    Thanks for the password management links! I started using pass-phrases recently, and also transposed words. It does feel more secure, but it can be tricky to remember them – it usually takes me two attempts to sign in to twitter.

    November 13th, 2008 at 11:34 pm
  12. Emmanuel Huna said:

    Great tips and great teleseminar #buildsocomm (oops, I’m still in Twitter mode). :-)

    I have a few additional tips on how to better manage passwords – I created a screencast which you can view here:

    http://screencasts.ehuna.org/2008/08/emmanuels_screencasts_managing.html

    Good times!

    November 17th, 2008 at 5:23 am
  13. delores said:

    Super cool ideas for staying safe online and protecting your passwords. It is amazing that you still have to tell people the obvious, but repetition is a good teaching style. Love your site, so cheerful looking.

    November 19th, 2008 at 2:27 am
  14. Allen Mireles said:

    Good post and good reminder. I had to stop and try to remember if I had gone to check my Twitter Rank. It’s so easy to fall prey to checking your grade and other forms of ranking.

    The question of having someone use my Twitter ID and password occurred to me the other day when I logged on to Twitter to find three venomous DM’s from someone who accused me of stalking them–when I had been offline and asleep.

    Made me wonder if there was someone out there using my Twitter ID and tweeting unpleasant messages to this poor soul. Turns out that probably was not the case but it did make me wonder and realize the importance of safeguarding this information. (At the same time that I was feeling a wee but paranoid, of course).

    November 24th, 2008 at 5:34 pm
  15. ocha said:

    Passwords never. You can also google “create passwords” and come up with some good tools that will create them for you.
    InfoESource.com

    November 27th, 2008 at 4:35 am
  16. Web Designing said:

    Nopes never, yet i have to share password with the team but that won’t be my personal one.

    December 2nd, 2008 at 11:56 am
  17. Article Writer said:

    I have to laugh a bit about the passwords. I used to work at Blue Cross Blue Shield and you had to use numbers, letters, and symbols for a valid password. It kind of trained me to make up passwords that nobody else could POSSIBLY guess, but were easily memorable for me.

    December 2nd, 2008 at 6:56 pm
  18. WP Cult said:

    It’s hard to tell what is good and bad out there in the 3rd party sites for the ever growing twitter.

    Maybe a good / bad list could be compiled?

    ..

    December 2nd, 2008 at 9:23 pm
  19. Ari Herzog said:

    Stumbling across your blog and this post in particular, Sarah.

    Three months ago, I provided similar advice as the above on creating secure passwords with a mneumonic algorithm that is a cinch to remember once you devise it. Every site where I must create a password — EVERY SITE — has a unique password. And I can be on any computer and don’t need a cheat sheet to remember it.

    Check it out: http://www.ariwriter.com/2008/09/protect-your-password-from-hackers/

    December 6th, 2008 at 6:22 am
  20. Aluminum Laptop Cases said:

    It is a big hassle trying to remember and keep track of all my logins and passwords. As a result many people take shortcuts and overuse the same password. This can be a big mistake because getting access to one login may allow someone full access to all of your accounts. If this person has a grudge against you, that could be disastrous. Keep this in mind when sharing passwords freely too. You might not consider that the person you give the password to may try to use it for your other accounts.

    February 2nd, 2010 at 1:41 pm
  21. Turkey said:

    I never shared my password freely:)

    March 5th, 2010 at 6:02 pm