NEWS FROM THE LAB - Tuesday, May 26, 2009

Put Your Passwords on a Post-it Posted by Sean @ 16:07 GMT

Facebook is slowly but surely defending itself against aggressive spam runs.

There's some speculation among experts. Why Facebook? Has Facebook become a keystone from which to launch and steal all of an individual's passwords (i.e. banking and commerce sites)? Once you have Facebook, can you then compromise the primary e-mail account and everything else along with it?

Maybe so, but regardless of why — the sheer gravity of Facebook makes it a target. Its growth and size is tremendous.

Let's take Finland as an example. There are over one million estimated Facebook accounts and there are only 5.3 million people living in Finland. The regional network has over 544,000 members. Anything that size will be a target for scammers.

Wherever good people go, miscreants will follow.

So of course it's an excellent policy to maintain complex passwords that are unique to each site. Right?

Here's an idea. Write down your passwords. Seriously.

And once you write them down, put them in your wallet. Think about it. What else do you carry in your wallet? That's right, your bank cards. And your bank cards contain your account name and account number.

That's kind of like your online account names and passwords.

Only this is the key — It's a two part password. Because your account name and bank card number also requires your PIN.

So take a look at this screenshot. What do you see?

Passwords on a post-it

Passwords on a Post-it, only examples of course… non-dictionary ones at that.

Keep another three common characters in your head, and you'll have complex 10 character passwords. And you can insert those extra characters in the front, middle, or end.

What do we mean? It's like this.

The first three characters in this example are based on the website, "aMA" represents Amazon.com. And it can be written several ways, such as "AMa" or "aMa" or "AMA", etc. A good method should be easy for you to remember.

The next (or other) part, "2242" as in our example, should be something completely random. This is the part that you really need to write down and keep safe so that you don't forget it.

And then you should use a method to add three more characters (your "PIN") to every password. Something such as "35!" So the full password then becomes "aMA224235!" or "aMA35!2242" or "35!aMA2242".

Our other example would be "gMA35N135!".

Your PIN should never be written down, keep that bit of information in your head. Just like your bank card's PIN.

Note that our example does not include an e-mail address on the Post-it.

What happens if your wallet is stolen? You call the bank and cancel your cards.

And what about your Post-it? If it doesn't include your e-mail address or your PIN, you can reset your passwords in a timely fashion on a new piece of paper. You're good to go.

Using this methodology, you can maintain complex and unique passwords, and still have something handy for when you forget them. Because we all do forget stuff from time to time.

And if you're phished on one site, such as Facebook, your other accounts aren't sharing the same password.

Oh, one last piece of advice.

Don't put the Post-it on your monitor! And not on the underside of your keyboard either… everyone's familiar with that location too.