My response, tardy as it is, might best be described as redundant redundancy.
Starting our fourth decade: Al Fasoldt's reviews and commentaries, continuously online for 31 years


Mail bag: Great tips for password protection

June 22, 2014

By Al Fasoldt
Copyright © 2014, Al Fasoldt
Copyright © 2014, The Post-Standard

My column about the Heartbleed Bug (www.technofileonline.com/texts/tec050414.html), which allows unscrupulous hackers to steal your passwords, brought some fascinating responses. The most interesting came from reader Steve Berson.

Berson starts by questioning my comment about not needing to memorize passwords. I wrote, "the websites you go to will remember them for you, or your computer, phone or tablet will do the same thing."

This is bad advice, Berson says, for this reason: If your browser stores your passwords, anyone who steals your personal info would be able to access all your passwords simply by cracking the single password that protects the files that store the other passwords.

(If this sounds confusing, it's because experts usually fail to explain how this works. A location on your device keeps track of your passwords and inserts them for you when you're on certain sites. Those passwords are stored in a sort of strongbox that's "locked" by a separate password. If anyone steals your files, breaking that protective password would make all your passwords readable.)

In another area, I had suggested that you should store your passwords in a notebook that you could keep under the mattress or in some other reasonably safe place. But Berson gives advice that my mom probably would have passed along: Such a notebook is easily lost and might even be stolen. It could also be destroyed by a fire or other calamity.

My response, tardy as it is, might best be described as redundant redundancy. If you do keep a written record of passwords outside your computer or other device, always keep at least two separate, extra copies, and store them in separate places -- your car's glove compartment and a friend's home or apartment, that sort of thing.

As for my insistence that you create totally unguessable passwords, Berson has a great idea that should make everything much easier.

"My method," he writes, "is to use the same 'base' password such as eEyy #@, easy to remember yet difficult to break, then use a 'suffix' password, added to it at the end, that’s unique to the site being accessed. An example might be the first and last letter of the site, perhaps one capitalized, one not, in, say, 'An' for Amazon. Then the final password would be eEyy #@An. That way you can memorize any password for your vital websites. You could use the site’s name jumbled in any combination you want and it would be unique to that site."

A fabulous idea. My thanks to Steve Berson. If you have suggestions, comments, questions or just gripes about my column, you can reach me at afasoldt@gmail.com.