If this could happen to me...
A few months ago I received an email telling me that someone had purchased an item I had for sale on eBay. Since I had only ever bought
things on eBay I should have known that this wasn't legitimate, but I was in an affable mood so I clicked the link in the email, landed on the web site, and tried to sign in. Only after I got an "error" did I realize that I wasn't on the real
www.ebay.com site, but a forgery--I had been fooled by a "phishing" email into revealing my eBay name and password to a thief! I quickly went to the real ebay.com, signed into my account, and immediately changed my "standard" password to a completely new one. I was lucky the thief hadn't gotten there first. This motivated me to change other important accounts to use new passwords to prevent this thief from accessing them as well.
Security and convenience are almost always at odds with each other, especially when it comes to passwords. Like me, most people I talk to have a single password they are fond of, and over the years they've used it for all of their accounts, including email, online banking, credit cards, online shopping, etc. Thus if someone manages to steal one
of your passwords, in theory they now have the ability to break into all
of your accounts. Don't let a thief who might crack your seldom-used account at Hotels.com turn around and break into your retirement account at Fidelity!
What can I do about it?
Change your passwords. They should be different, both from your favorite old password and from each other. Don't use something obvious that someone else with personal information about you might guess.
Also, it's time to make an organized list of all of your accounts and passwords. See last month's issue for advice on doing this. (Go to http://www.kadansky.com/files/newsletter.html
and click on "Passwords, passwords, passwords! How can I keep track of them all?") Be sure to update your password chart with any changes you make.
Which accounts are the most important?
Start with your email accounts, and then any bank, credit card, retirement, or other financial accounts. Your email might not seem very important at first, but consider this: One of the first things a thief might do after getting access to, say, your online bank account is to change its password. Many systems confirm this by sending you an email. A clever thief might therefore also break into your email account so they can intercept this confirmation and delete it before you see it.
What's a good way to come up with a new, memorable password?
Having trouble making up new passwords? Here's a fun technique: Come up with a phrase or sentence related to each account that's easy for you to remember but difficult for others to guess, and then take the first letter of each word, add a few digits on the end (or, specifically pick a sentence that includes
some numbers), and use that as the password.
For example, if you have an account where you buy music (like amazon.com) and you like 70s country/pop music, then turn "Don't It Make My Brown Eyes Blue was Crystal Gayle's big hit in the 70s" into "dimmbebwcgbhit70s", a very good password that no one is likely to guess, and put this on your password chart. Passwords are case-sensitive, so for extra security capitalize it properly: "DIMMBEBwCGbhit70s". For an online banking account, the sentence "I've used Bank of America since 82, but they're not as friendly as Citizens" makes "IuBoAs82btnafaC".
How do I actually change a password?
The most common ways to change an account's password are:
- Go to the web site for that account, log in, and look for a "change my password" or "my account" link.
- Call the company and have them do it for you over the phone, or tell you where to change it yourself on their web site.
Remember that your email software (or web browser, if you use webmail) is probably configured to remember your email password, but it won't know that you've changed it. So, right after you change your email password you'll need to update your email software with the new password. Feel free to contact me if you need help doing this in your particular email program.
How can someone steal my password?
There are many potential ways for a thief to steal your account name and its corresponding password:
Where to go from here
- Given some personal information about you (your birthday, children's names, Mother's maiden name, etc.), they can sometimes just guess your password.
- You can be tricked into installing viruses, spyware, or "keystroke-logging" software onto your own computer, which can observe you entering your name and password and then send it to the thief over the internet.
- A "phishing" email message can trick you into visiting a phony website run by a thief where you're misled into entering your name and password.
- If you use your own laptop in a public place where an open wireless internet connection is offered and you access any of your accounts, a nearby high-tech thief may exploit a lack of security in your laptop.
- If you use a publicly-supplied computer in, say, a cyber-cafe or public library, a high-tech thief may already have installed software on it to capture your account information.
- A low-tech thief may simply look over your shoulder as you type in your name and password. They don't even have to be in the room, they could be outside the cafe's window with a video camera looking in.
- At a minimum, consider changing your most important passwords (email, banking, financial) so they are more secure and not the same as each other. For extra security, change them at least once a year, and right away if a trusted employee or business partner has left.
- Keep track of your accounts and passwords, and keep this list in a safe place.
- If you do frequent public wireless internet connections, don't access your bank or retirement accounts.
If you know someone else who might find this helpful, please feel free to forward it to them.
If you have any comments about this article, send me a reply!
If you have a topic that you'd like me to write about, I'd love to hear about it!