Defending The Kingdom

Making strong and easy to remember passwords is amazingly easy. But what do you do when you’re asked to choose a secret question for an account - something like, “What is your mother’s maiden name?” or “What was the name of your first pet?”

A weak security question and a too easy answer undo the security provided by the best passwords. It is far easier for a marauder to click on the ubiquitous “Forgot your password?” link and guess your favorite high school teacher’s name (perhaps aided by a list of high school teachers at the school you attended, information that is not as hard to get as you might wish) than it is to guess a strong password.

As comforting as it is to have a backup in case you lose your password, the security risk isn’t worth it. There are better ways to avoid forgetting your passwords. Unfortunately, many sites won’t let you avoid using a secret question, so you need to enter something. My advice is to choose any question you like, but enter gibberish for the answer. Something like “dlfkjsldfj fosiuxclewoifu oisfu” would suffice.

To avoid forgetting your passwords, store them in Password Safe, a simple, lightweight program that can help you create and manage all of your passwords. Keep one copy of the database file on your computer and email a backup copy to your email address every time you update it. You’ll never forget your passwords and you’ll never have to rely on the backup security questions. As a bonus, you’ll be more likely to update your passwords every three months when you realize how easy it is to store them.

A friend and reader left some great questions in the comments section to a recent post. I’ve answered three of them today, and will answer the rest in a future post.

1) You mention that you change your online banking passwords every three months. What is your reasoning for doing this? If you have a high security password, is their an increased risk in it being broken the longer you keep using it?

I change my critically important passwords (banking and email) every three months just in case someone has figured them out. The biggest risk, as I see it, is from keyloggers. If keylogging software lodges itself in your computer even for a couple of days (in between virus scans, for example), it could steal your passwords and send them to a bad guy without tipping you off that anything is wrong.

2) Do you recommend having a different password for every different type of account you have? What are the risks in using the same password for multiple things?

I recommend having a different password for each of your important accounts. The risk of using the same password for everything is that someone who gets the password to one of your accounts gets access to all of them. Your bank probably does a good job of preventing people from getting into their databases, but shareyourpicswithfriends.com may not. If you were a hacker, how would you approach this problem, knowing that many people use the same password over and over?

Personally, I use the same password for accounts that would not cause me to weep if a criminal got access to them. I use distinct, strong, and frequently changed passwords for the rest.

3) I see the security threat in forgetting to logout of a email account, bank account, etc. at a public computer; someone could come on the computer after you and breach your privacy. Is there a threat of keeping accounts open for an extended period of time on a private computer?

I’m not very concerned about it. There is a danger that information sent from your computer to, say, your bank’s servers (and back again) is intercepted by some clever person, but there is little you can do about this. You can avoid wireless connections or avoid the internet completely, but most people (including me) would find this to be an unacceptable tradeoff.

I changed my banking passwords today, something I do about every three months. After doing so, I received emails from each bank informing me that my passwords had been changed - and advising me that I ought to get in touch with them if I had not done the changing. Here’s the email I got from RBC:

What they get right

They get a couple things right. First, sending an email to me when my password is changed is a great idea. If someone else had changed my password, I would learn about it quickly. (What would happen, though, if that person changed the email address on file at the same time? No problem: when an email address change is made, a notification is sent to the old email address.)

Second, they assure me in the email that “RBC will never ask you to provide, confirm or verify confidential information like your online banking ID, password, account numbers, balances or PIN through regular email.” That’s super. If I ever get an email asking me to confirm confidential information, I’ll know it’s fake.

What they get wrong

I do have one minor complaint. It would be better if my bank refrained from including phone numbers and clickable links in the email. I could imagine a scenario where a phisher sends an email identical to this one, except that the links and phone numbers direct the user to a phishing source. Once the user is on the phisher’s website or is talking to a phisher, he might forget all about the promise in the email to never ask about confidential information.

On the other hand, if banking customers get used to the idea that legitimate banks never send emails with links or phone numbers inside them, phishers would have trouble indeed getting people to contact them.

Edited to Add (2 Mar 2008): Note that my bank included my name in the email, something many banks do. So if you ever receive an email from what is ostensibly your bank that lacks your full name (”Dear Customer” or the like), be wary.