Take 5: How to protect your passwords

Northeastern University cybersecurity expert Wil Robertson, an associate professor with joint appointments in the College of Computer and Information Science and the College of Engineering, offers some tips for Web users to ensure their private online data stays private.

1. Don’t share your passwords

Perhaps this is obvious, but because it happens all the time it bears repeating: don’t share your passwords! All of the personal security tips in the world won’t help you if someone else has one of your passwords and is able to impersonate you online. Perhaps you trust him, but are you sure you trust everyone he trusts? The point is that once you’ve disclosed your password, the situation is no longer within your control.

2. Use strong passwords

A password that is easily guessable is not much better than nothing at all. Attackers expend considerable effort to discover new ways to make password guessing more efficient, and so it pays off to select strong passwords that are resistant to these efforts. So, make them long, and use a unique phrase instead of a single word if possible. Include a few symbols or typos if possible, just so long as your password is still memorable.

3. Don’t use the same password everywhere

It’s tempting to come up with a (hopefully) strong password, and then use the same one in multiple places, like for logging into Twitter and into Gmail. But if your password is broken or accidentally disclosed by one of these services, attackers can often go and try to use the password at a number of other services with your public login information, often an email address. So, use different passwords. That way, if one is broken, attackers won’t be able to compromise your other accounts and you can limit the damage.

4. Consider using a password manager

It’s not easy to remember a large number of strong passwords. The last time I counted, I had more than 300 accounts with different services, and despite the value of the previous tips, it’s difficult to scale them to that many accounts. If you’re in a similar situation, you might consider using a password manager, such as LastPass or KeePass. The idea is to maintain an encrypted database of your passwords so that you only need to remember one: the master password protecting the database. They often have other benefits, such as generating strong passwords for you that respect password policies and integrate with your web browser.

5. Consider using two-factor authentication

A great way to protect your information is to take advantage of so-called two-factor authentication schemes when possible. Google, Twitter, and Facebook all provide these capabilities, where the idea is to require two pieces of information as proof of identity: your password plus a challenge and response via SMS, or a time-based code from your mobile phone, for instance. Requiring two factors makes it far less likely that your account can be stolen, since, for the case above, an attacker would need to compromise both your password and your mobile phone. Password safety is an integral part of protecting your personal information. By following the tips above, you’ll be ahead of the curve when it comes to staying safe online.