When You Must Use Passwords

Patronize Web sites that require usernames and passwords only if the Web sites use Secure Sockets Layer (SSL). If you can t connect to a Web site by using HTTP Secure (HTTPS), or if the padlock or equivalent symbol doesn t appear in your browser for that site, don t use the site.

Choose strong passwords at least eight characters in length and consisting of upper and lower case letters, numbers, and punctuation symbols. If possible, use a passphrase at least 16 characters in length (e.g., TheC0wJumpedOverTheM00n! ). Easy to remember, they re almost impossible to brute-force crack and aren t easily subject to attacks that use rainbow tables (sets of possible password hashes and their precomputed plain text equivalents).

Choose a different password (and username, if possible) for each system. If your credentials are compromised on one system, an attacker can t use them on other systems.

Given that you ll end up with lots of credentials if you use a different username and password for each account, I recommend you invest in a cheap biometric device such as a fingerprint reader that lets you store each set of usernames and passwords and authenticate to Web sites automatically upon presentation of a finger. As an alternative to a biometric reader, invest in a software-based credential vault such as CodeWallet Pro (http://www.developerone.com/code walletpro/) or RoboForm (http://www.roboform.com).

Don t store credit card or personally identifiable information on Web sites. It might be a nuisance to reenter information each time you use the same site but it s preferable to having to replace your credit cards or deal with identity theft.