From the Nov. 2008 Issue
A few years ago, I wrote a column describing a method to generate a different, easy-to-remember, yet secure password for any website or program. Since that column ran, I’m regularly asked to detail the system. In an effort to help (and maybe cut down on a few questions), I’ve decided to re-run the Column. Here it is:
I regularly visit
hundreds dozens of websites, and more and more are
personalizing content for me by offering me “portal” type services.
Some are quite innocuous, like, “Tell me where you live, and I’ll tell you about the weather.” It’s a beginning step in what I refer to as the “you give, you get” paradigm. “Tell me what stocks you want to watch, and I’ll personalize a ticker for you.” Again, pretty innocent. What about, “Tell me your account number, and I’ll show your transactions” or “Tell me your patient ID, and I’ll tell you about your prescription drugs.” Now we’re talking about SECURITY!! Those are areas where we ALL want great security.
Fortunately, most folks providing this kind of information on the web are very security conscious and have provided for users to choose hardened user IDs and passwords. Hardened is a term many consultants use to describe an ID or password that is (usually) at least eight characters long, containing alpha, numeric, upper and lower case characters, and a symbol. It is NOT your name, your pet’s name nor the street where you live. In fact, it is NEVER a word at all. IDs and passwords like these are extremely hard to break, and the hope is that an intruder would lose interest rather than spend the inordinate time required to break your security and access your information. But you knew that, right?
What I’ll bet you DON’T know is how to manage those
(oops, there goes that exaggeration again!) dozens of user IDs and password
combinations. Here’s one method that seems to work well for me. I have
a “standard” user ID that consists of letters (some upper case),
numbers, a symbol, and two letters chosen from the website to which I am authenticating
or program I’m accessing. By way of example, my User ID might be wjY6%XeX,
where the X’s are the second and fourth letter of the website I’m
visiting or program I’m using. So, if I were visiting www.etrade.com,
my user ID would be wjY6%TeA. Notice the “T” and “A”
are picked from the website address. If I were visiting www.AICPA.org, my user
ID would be wjY6%IeP.
The secret is that I actually have only ONE user ID to remember. In this case, it’s wjY6%XeX, but it’s different at every site.
I do the same thing with my password; it’s a single hardened string incorporating something from the site I’m visiting. The result is a simple system that provides great security. Often, I’ll hit what looks to be a new site, and when it asks me to login, I’ll just “try” my user ID and password. Sometimes, I discover that I’ve already been there as my “special” user ID and password take me right in.
Are there problems? Sure. There are some sites that like to “assign” user IDs and don’t give you the right to change them.
A few have policies that preclude the use of special characters, such as the following: !, @, #, $, %, ^, &, *, ( or ). One I use (a bank) actually had the gall to tell me their disallowance of special characters was a “security feature designed to protect you.” Amazing!
Some sites use your Social Security number as an ID (and they think THAT’S secure?). Finally, some sites limit your password to only five or six spaces. My answer to them more and more is, “goodbye.”
There are plenty of other “safe” sites to provide me with the services I need. I hope you’ll join me in demanding high-level security policies from the vendors with whom you work. And remember that if you’re not already providing individualized web services to your clients, you probably will be someday soon. And they will be asking YOU for the right to use “hardened passwords.” Smart practitioners think ahead.
A parting tip: Many firms are now developing standards for password-protected Excel, Word and *.PDF files that they exchange with clients. Take even a small firm with only a few accountants times a few hundred clients times a few dozen files each, and you can quickly have thousands of password-protected files floating around. When you do, you darn well better have a system to manage them! And when the system fails (sorry, but it ALWAYS fails eventually), and you’re stuck with a file that’s so protected that no one can open it, try www.lostpassword.com. It’s a magic little trick that WILL open it! Enjoy!
PS: The user ID detailed above (wjY6%XeX) is NOT the one I use!!!
PPS: If you’ve not looked at Microsoft’s new Live Mesh, I suggest you do so … soon. Consider this a glimpse into the wonder of “cloud computing.” It’s a data synchronization system that allows files and folders to be shared and synchronized across multiple devices. A small client on each machine allows you to set up relationships among different devices. When a folder is marked for synchronization, it becomes available on all devices, and any modifications made on any machine to any file in the folder will be replicated to all devices. See www.mesh.com. It’s FREE and, although still in beta, it’s been as solid as a rock for me.
(You can get more of Greg @ his blog: www.TheTechGap.com)