Friday, January 2, 2015

NOW is a Great Time to Change Your Passwords!

Guess what time it is?

It's password time!

Whether you like it or not, you need to change passwords - a lot.

In the last year there have been thousands of stories about passwords being stolen and accounts being compromised. That's not an exaggeration.

Here's an easy two-step process to improving your security this year:

1) Get a password vault.
That's a kind of software that allows you to store your passwords in an encrypted file. Keeping them in Word or Excel is NOT good enough - especially if you store them on your laptop.

I use a product called TK8Safe (www.tk8safe.com). It's 256-bit encrypten, which is good. And it's cheap. Like $20.

There are online password vaults, but there are several things I don't like about that. First, if the bad buys get your file, then can download it and proceed to work on it until they break in. No matter how secure it is, it will eventually be cracked.

Second, if you have problems getting to the Internet, you can't access your password vault. So if you choose a cloud-based system, make sure there's a local version as well.

Anyway, search for "Password Vault" - or ask your technology consultant what they prefer - and use it!

2) Change Your Passwords on a Schedule.
There are some passwords you should change a lot and others you only need to change from time to time.

The beginning of the year is a great time to change passwords. Just make it part of your day for the next few days.

Every time you're asked for a password in the next week, finish logging in, then change your password. As you go through your normal day, this virtually guarantees that you'll be changing the most important passwords you use every day.

After that, you should change some passwords every month or so. Super-unimportant passwords you might only change once per month. Note: If any account is connected to your bank or your credit cards, that password should be changed every month.


Three Levels of Passwords

I recommend (and use) three levels of passwords: Low, High, and Critical.

At the low level of security are things like Pandora, online stupid games, and sights that give me free things. And I reuse passwords a lot at this level. Think about it: If someone guessed my Pandora password, the worst thing that could happen is that I have to listen to music I don't like. That's it. Period. End of crisis.

Beware: Anything that touches your money or personal information should NOT be on the "Low Level" list.

In my opinion, you can change these passwords once per year. At the low level, it is perfectly acceptable to use the same 1-5 passwords over and over again. Each should still be a decent password (8-12 characters), but it doesn't have to be a 28-character phrase with every possible variable.

These sites either never ask for money, or they require that you put in your payment information each time. So if someone breaks in, they can spend their money but not yours.

At the high level of security are those things that do cost money and can cost you a lot more if someone breaks in. This includes your Amazon account with the stored credit card. And your favorite store account where your account credit is on the line. At the high level, you can still reuse a few passwords, but they should very good passwords, and you should change them monthly.

Here's one approach: When a bank asks you to change your password, that's a good time to change your password on your other bank accounts, your QuickBooks account, etc. That way you can keep your passwords in synch and still change them regularly.

A high-level password should be long and complicated. In a perfect world, it will be random characters - like this: 2Zb)Em!7mT#9V3b

Most password vaults include random password generators, like this:

You can also come up with screwy fake sentences, like: Y0uW1llL0v3Thi5!

But remember that bad guy computers know you're doing this, so they are programmed to crack passwords like that. Having said that, really long passwords are less likely to be broken, no matter what they look like.

At the critical level are services that can really cost you a lot of money. For example, I put the payroll service in this category. I use a password there that is not used anywhere else. And it's a great, long, random password. And it changes every 30 days.

The reason is simple: A hacked payroll could wipe out my operations bank account and get me in trouble with both the state and federal government all at once. You only have a few critical passwords. The main thing you need to do is to change them on a regular basis.


I think the three tiers make sense. We all know that Netflix is not as important as your stock portfolio account. But the bad guys are getting better and faster. So you need to take this seriously.

If all of this is just confusing, talk to you I.T. consultant! Schedule a time to get trained on modern best practices.

And have a safe year!

:-)