A couple of days ago, I changed my password for the CMS on my website. Unfortunately, Firefox has refused to “remember” the new password, auto-completing the field for me with the old password every time I open it. In the past, when I’ve changed a password, Firefox has offered to remember the new one, but in this instance it did not. (I think I know why, but trying to explain that is outside of the scope of what I care to discuss here today.)
A little query into the Firefox help site provided an answer. Pretty easy, right? But then that got me thinking. Take a look at this screenshot:
You click that “Yes” button, and Firefox is going to display all of your saved passwords in the clear on your computer screen. That’s both incredibly handy, in case you need to remember a password that you’ve forgotten (maybe not even for the site it’s saved with — I’m sure most people reuse the same password[s] most of the time), and incredibly dangerous, in that someone else accessing your computer could open up Firefox and find out all of your passwords.
This leads me to recommend some “best practices” for managing your personal passwords. I follow these rules in order to keep my information (relatively) safe:
1. Don’t use the same password everywhere. It’s unrealistic to think you can remember a different password for every website, but I have a mental store of about 5 or 6 different passwords.
2. Complex passwords are more secure. Your passwords should not contain any dictionary words, and ideally they should contain a mix of upper- and lowercase letters along with numbers and punctuation marks. Also, the longer, the better. It’s really quite amazing how much longer it would take an average modern-day desktop computer to crack an 8-character-long password using this mix of 96 possible characters (23 years), compared to a 6-character-long password using just lowercase letters (30 seconds). Even if you just use lowercase letters, length makes a huge difference: a 20-character, all-lowercase password would take 63 trillion years to crack.
3. Don’t use the same password for your bank that you use for Facebook. This relates to the first item. Reserve your most complex, hardest-to-crack password for the most critical uses: your bank account, PayPal, etc. Generally, anything involving money or the possibility of identity theft (such as a site where you need to provide your Social Security number). Granted, you should probably have a pretty strong password on Facebook, too, but the bottom line is, don’t use your banking password anywhere else.
4. Password-protect your computer, too! This is probably the hardest case for me to make. Especially if you have a desktop computer that just sits in your house all the time, it’s really easy to not bother protecting it. But think about it: if someone breaks into your house, they may be able to steal some of your valuable personal property, but if they’re granted unfettered access to your computer, they could do much more damage than that. In fact, a deft criminal could get in and out without a trace, except that they logged into your computer and stole all of your passwords. If you take your laptop with you to public places where you might leave it unattended at some point, the risk is even greater. And if you’re accessing public networks, physical access to your computer is not even necessary, so a strong password to log into your computer is just as important as the password on your bank account — especially if Firefox has stored an easily-discovered copy of that password on your computer. Which leads to my final recommendation…
5. Resist the temptation to allow your browser to save your most important passwords. I let Firefox “remember” almost all of my passwords. It just makes using the web a lot easier. But I never let it remember my passwords for my bank or PayPal. If you’re only going to file away one convoluted 20-character string in your brain, let it be your bank password. Don’t leave it to Firefox to remember that one for you.
Need more? Symantec has some good recommendations as well.