July 26, 2010

At the risk of being known as the "question-title guy" for blog entries, I read about this password-cracking site and found myself wondering what data security experts think about the way we devise passwords.A while back I was alerted to this blog entry by Bruce Scheiner. He suggests:

that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.

So for a few years now I've done just that. Every once in a while I change all of my most sensitive passwords to long, randomly generated character strings, then keep them on a piece of paper in my wallet. That paper, by the way, does not tell which Web site the password covers, nor the user IDs: I just have to remember the order that I wrote the sites on there.

Of course, not too long ago, Scheiner's advice came back to haunt him, as you can see in this comment on a story regarding the recently busted Russian "spy" ring.

And, as I noted before, not all of my passwords are randomly generated, 14-character strings, only about four or five of them. That doesn't, of course, cover the wide range of password-protected sites I access. For other sites, I try to use random strings, but simply don't make them as long. They are written down as well, but not kept in my wallet, kept at home: I just have to get used to not accessing certain sites remotely. For some sites, though, I still have "lazy" passwords. I try to keep it to sites that don't have a lot of personal information on me, like news sites or hockey fan boards.

When our economy collapsed under the weight of bad loans, some pundits lamented the financial illiteracy of the average American. Proposals for mandatory classes in personal finance for schoolchildren were popular. Now, privacy is becoming big business, and our data is becoming a new sort of currency that must be managed responsibly.

Some sites on which I've registered require a non-numeral, non-letter character in passwords. This is a good habit to encourage. But often consumers click "Forgot my password" when they can't remember which "C" was replaced with "(". (Well, I shouldn't speak for everyone - just me, who's found himself there quite often.) One thing is for sure, however: Americans must begin to take this seriously as their data moves throughout the cloud as often as it does.

Nathan Golia is senior editor of Insurance & Technology. He joined the publication in 2010 as associate editor and covers all aspects of the nexus between insurance and information technology, including mobility, ...