By the time you finish reading this article , you realize that you really liked this article and would like to post a comment or share your own tips on managing passwords. You click on the “Post comments” link and Noooo! the dreaded thing happens… Bijhar.org prompts you to sign in before you can post a comment.
That is indeed irksome but the worst is yet to come. You try to log in only to discover that don’t remember your password! You try a number of different passwords but nothing works!
Well you are not alone.
Almost 75% of registered BiJhar members did not login at http://www.bijhar.org in the past six months. There is a good chance that they wouldn’t remember their passwords either.
This is the case even as most of our social interactions and economic transactions move to the Internet and this shift continues at an ever increasing rate. Online air ticket booking , bank transactions shopping , movie tickets, bill payments , photo-sharing – you think of an activity and chances are that you are performing it on the Internet.
While it has brought tremendous ease and time savings on one hand , it has increased our headaches on the other.
Internet fraud , computer hacking , phising , Identity theft or impersonation are some of the issues which continue to bog Internet users like you and me.
An associated problem which a normal user faces is the plethora of user accounts and passwords one has to create and remember.
Majority of websites which sell products or services of some worth require you to register. At the very least, you need to provide your name, contact information and create an user id and password.You think it is painful but only a one time affair. Think again, you need to remember your user id and password or else you will have to:
- Re-register , filling out all the cumbersome details again Or
- Answer some security questions (Challenge & Response ). This can be equally tiring . If you don’t believe me , try forgetting your hotmail or Gmail password !
- Call/write to their help-desk, request for a password reset . This is quick for most sites but Banks and other financial institutions like the CPF Board would send your new password/pin only by post. That may take up to a week!
I once forgot my ICICI Bank password. When I requested for a new password , they sent it after 10 days at my India address. I couldn’t perform any transaction during this period till I called up home to get my coveted new password which had to be changed again immediately and of course remembered !
How Do People Manage Passwords
We all agree that it is difficult to manage so many passwords. But the next obvious question is how to manage them without ever forgetting them?
Here are some approaches people adopt :
a) Use your pets’ , wives’ or children’s name as your password for every website
b) Use different passwords and write them down in your diary or a piece of paper which adorns in your wallet or place it in a drawer near your computer
c) Allow your browser to remember passwords for you .
d) Open a new account every time you forget your password
e) You enter $qw&8U@1K3 when logging on to your bank’s website , enter *3Jk$pK?g9 at your air-ticketing site and your office computer’s password is b*9Qt^5Z7y …
Well ! If your response is (e), you should not be reading this article any further. You got a super memory and I would recommend you to be a awarded a PhD in Internet security and password management.
For those who opted for (a) using a simple word or name for every site , i) your choice of password poses a serious risk to your online security, ii) don’t feel embarrassed. Nearly 50% online users , use the same password everywhere as per a recent survey by Jupiter Research. If your password is a dictionary word or a name you can be potential victim of password hacking. Don’t be under the impression that it is difficult to guess your password. A hacker can deploy programs which can try all the words in the dictionary in a matter of minutes or less.
Worst still, once a hacker cracks your password , your whole web history is before him like an open book !!!
Those who chose (b) i.e. write your passwords on a piece of paper , your password is as secure as the security of the place where you keep that paper. If you you prefer to keep it near your office computer, it is at the mercy of your colleagues / your Secretary who keep dropping by every now and then.
Agreed But …
You could say, well, I agree that a password should be cryptic , should be changed often and should contain a mix of upper and lowercase letters , letters, special characters like $, ^, * # etc , must at least be 7 characters long and so on.
‘But how on earth am I going to remember so many cryptic passwords. I am not even confident about remembering one. My wife’s name is so convenient and I can type it even with my eyes closed’,you may say.
No doubt , simple passwords are easy to remember and most of us often prefer simplicity over security.
Managing Passwords Can Be Easy
There are a number of software and hardware tools available which can manage your passwords in a safe and secure way, however, this is not the focus of my article.
It is not all that difficult to manage and remember your passwords yourself without compromising on their complexity and hence the built in security free of cost. You may choose to follow some simple rules like the ones outlined below or may devise your own rules once you get the general idea.
Categorize your Internet accounts
Divide your Internet user accounts into two or three categories depending on the sensitivity of the transactions/activity you perform on the website in question. I suggest the following classification:
Plain Vanilla Accounts : Most of the websites you visit would probably fall in this category. Sites which offer non-financial services, those which DO NOT hold crucial and sensitive information like credit card details, passport and NRIC number , date of birth , bank account numbers etc. Sites which would fall in this category are news portals like http://www.timesofindia.com , your online grocery store , online calling card sites like http://www.telephonecard.com.sg . As a thumb rule, sites, where you don’t really care if some one hacks your account and avails the services on your behalf, fall in this category.
I don’t mind if some one is reading news at http://www.livemint.com posing as Sudeep Kumar or some one goes and buys telephone cards on my behalf. The hacker cannot make payments from my bank account even if he tries to purchase calling cards in my name so I am safe.
Important Accounts : These are accounts on websites where the site stores one or more of your crucial /sensitive information like Date of Birth , Passport Details, NRIC number etc. but NO credit card and bank account information. Your favourite e-mail account would also fall under this category. Chances are good that you may have sent one or more pieces of sensitive information to your friend/ potential employer etc for example your resume. You might have sent very personal messages to your spouse/ girl friend/boy friend which you would not want to share with any one , certainly not with a Hacker.
Critical Accounts : These are accounts which store your financial and personal data both. Online accounts with Banks (e.g , http://www.DBSBank.com, http://www.icicibank.com etc ) ,Brokerage houses ( on line trading accounts with Funds Supermart, ICICIDirect.com etc) Statutory bodies like the CPF board etc would fall under this category. Your userId and password on such websites should be cryptic , almost impossible to guess and should be shared with None. Many banks have now added an extra layer of security, also known as Second Factor Authentication (2FA). The account holders are provided with a security device , which randomly generates a pin to be entered after you have keyed in your user id and password to gain access to your account. This significantly reduces the chances of an online fraud.
Since not all financial institutions have implemented 2FA , your secure password is still the first and probably the only line of defense against a hacker.
Devise your own Password Strategy
For each of the account categories , you can come up with password generation strategies ranging from simple to the most cryptic yet, easy to remember.
Password Strategy for Plain Vanilla Accounts
You can have one/two passwords for all of your plain vanilla accounts. For such a password think of something which is very personal to you and even your close Friends and wife may have no clue. If it is not from the English dictionary even better. It should not be your middle name nor even your wife’s name or one of your children’s name. How about the name of your grandfather, grandmother , grand uncle.
Great grandfather would be even better but I don’t think more than 1 in 10 people would remember their Great Grandfathers name. If it is an old fashioned desi name like “rampukar” , “ramkhelawan” , ” budhnidevi” , “chotakifua” , “badkidayee” you are on the right track.
Wait! We are not done yet. We need to make it a little more complex. Now think of a two, three or 4 digit number which you can associate with something , e.g. , the wedding year of your parents or the birthday of your grandmother , the hostel room number in your college, license plate number of the lamby scooter your dad used to ride. Just pick one such number. Let us say I pick, my hostel room no., which is 207 and I pick my grandmothers name , “budhni” . Construct a password: budhni207 .
How secure is this password?
Well, if a brute force attack is employed, assuming the hacker got no clue about your password, he has to try 11 billion different character combinations to crack it. Feeling confident? For a human it is indeed tough to crack, but if he deploys a hacking program running on desktop , he can crack it in 35 minutes.It is not “that” safe in the strictest sense , but then it is for your “Plain Vanilla” websites so a safety of 35mins is reasonable. After all, who is a a fool to waste 35 mins only to read your businesstimes subscription online.
Password Strategy for Important Accounts
we will make stronger passwords for these accounts. Using the same old granny, “budhnidevi” , and my hostel room no 207 , let us construct a stronger password. This time i will use her full name and place the numbers in between and at the end. using this approach, I split the name midway and put first two digits there and the last one at the end , now my password is : “budhni20devi7 “.
How secure is this password ? This time, we got 10 letters and 3 digits. This means there are 141 quadrillion different character combinations. A hacking program running on a desktop will need 2 million years to crack it . To give you a perspective, our first ancestors, the early Homo Sapiens evolved nearly 200,000 years ago. If one of them was a hacker with a computer and still alive and still trying , he hasn’t reached even halfway.
Password Strategy for Crucial Accounts
If you have understood the game so far, generating our super cryptic set of passwords is easy. Just pick 2 of the special characters from the keyboard, e.g. #, ! or &,* , or @,% . I choose our faithful old granny .”budhnidevi” again, choose ” &,*” and 4 digits from my lambretta scooter license plate digits , BER2539 . Now how about this password : ” Budhni&25Devi39*”
How secure is this password ? I dare not tell you the number of possible character combinations. If you insist then it is 1 sextillion. I leave it to you to figure out how many zeros it contains. And I did not coin this term for sure …
Using the same approach, I construct two more such passwords , Ram&25Khelawan39* and Chotaki&25Fua39* .
As you can see, among your grand mom, grand uncle and Chotaki fua , you managed to generate 5 passwords. Three of them would pass any test for password quality and strength. The remaining two are pretty good as well.
Toggle between your ultra secure passwords every 3 months.
All you need to remember is : budhnidevi, chotkifua, ramkhelawan – your relatives, your lambretta registration number , two special characters. Is it all that hard to remember ?
If you have had the patience to read all this , you are already on your way out of this password maze. Go ahead, make your own set of cryptic rules and change all the overly simplistic passwords you have with the new stronger ones.
Additional Security Measures
- Always close your browser after you have logged out from your Important/ Crtical category of sites.
- Refrain from visiting the “Critical” category sites when accessing it from a public computer like Cyber cafe. If you must, then DEFINITELY close the browser once you log out.
- Install a good antivirus and anti-spyware program on your computer from nortan antivirus, McAfee or TrendMicro. Keep it upto date.
- Zone alarm (http://www.zonealarm.com/) offers anti -spyware software for free or at a reasonable fee.
- DO NOT install free file sharing programs unless you are extremely sure that it is free from spyware.
- Avoiding porn sites can do a lot of good to your computer. If basic instincts overpower you at times, refrain from installing anything on your computer from such sites.
I have outlined some simple measures for a hassle-free Internet experience. Do keep in mind this is not a complete cookbook on Internet Security.
Hope you have enjoyed reading it and learnt a thing or two. Now what are you waiting for?
Log in and write your comments. Share your own tips on password management– with me and other readers.
- If you don’t remember your bijhar.org password , click the forgot password link in the left panel just below the login section .
- If you don’t even remember your user id then read the article again as punishment and then call Jayanta Singh or drop him an email at (firstname.lastname@example.org).
- Don’t try to hack my account using the password combinations used for illustration. You would only be wasting your time.