Treat your passwords and pass phrases with as much care as the information that they protect (bank or financial information should be more secure than signing up for a free PDF).
Don’t reveal your passwords to others. Try to keep your passwords hidden from family members (especially children) or friends who could easily pass them on to other individuals. In the real world, you still may need to share your password with others, such as your online banking account password that your spouse might need to access. Those are the exceptions and not the rule.
Protect recorded passwords. Be careful where you store the passwords that you write down or enter into the computer. Do not leave these records of your passwords anywhere that you would not leave the information that they protect. Offices are notorious for being very insecure because many corporate password policies require you to change your passwords every 30-60 days, so people write them down and place them where they can find them quickly. If you’re in a more secure office, this isn’t a problem.
Never e-mail your password to companies. This is what is commonly called “phishing.” If a company requests you to send your password or if it requests you to verify your password by accessing a Web site is almost certainly a fraud. This includes requests from a trusted company or individual. Often the requests come from an e-mail that looks like a trusted company. What may have happened, though, is that the bad guys have intercepted an actual e-mail and created their own e-mail that will gather information from the user in a fraudulent manner. No trusted company will ask you to resend your password. This once piece of information will save you an incredible amount of heartache.
Change your passwords often. Two or three times a year is good. More often is better. This can help keep the bad guys unaware. Depending on the strength of your password will determine the length of time it is good. If a password is smaller than 7-8 characters should be considered only good for a few weeks, while a password that is 13 characters or longer (and follows the other rules outlined above) can be solid and acceptable for years.
Don’t type passwords on computers that you do not have control over, such as those in computer labs, conferences, internet cafes, airport lounges, or other public facilities. They should not be considered safe for personal use other than for browsing the internet anonymously. Any account that requires a user name and password should be considered unsafe for sending and receiving personal information. Be very very careful when sending information across these computers.
Do not use these computers to check online e-mail, chat rooms, bank balances, business mail, or any other account that. Criminals can purchase keystroke logging devices for very little money and they take only a few moments to install. These devices let malicious users harvest all the information typed on a computer from across the Internet–your passwords and pass phrases are worth as much as the information that they protect.
