Some thoughts on Security

Personal security. And it won't even involve a gun, either.

This morning I made a purchase on eBay, the exact model of amateur radio I gave been looking for, with certain extras and modifications which I have wanted, and, to top it off, it's local, so I can just go and pick it up from the seller. (Who confirmed that the shipping fees would be charged anyway by ebay, but that he would refund them in cash at the meeting point.)

Alas, he required payment using paypal, and I couldn't remember my paypal login! Been years since I used it, and it was made using a defunct email account. Attempts to recover it failed. Repeatedly. I would click "forgot login" and fill out the information, and... nothing. I suspect it was sending an email to the old, no longer existent, address saying "Hey, stupid, here's your paypal information." And clicking "Forgot password" led me to "Fill in your email address", which, of course is no longer valid...

Okay, I'll set up a new account. Oops! You have to record a card, and "Our records show that there is already an account using that credit card account."

Searching the paypal FAQs eventually led me to the discovery that, as long as you have your old email address and the old password, you can still log in.

Eventually, I found where I had recorded the old login information, and got logged back in, and still had to go through a bit of a rigmarole, changing to a curent, valid email address, setting up security questions, etc.

So, lessons*:

1. Record account information somewhere secure. Include all the information you might need, user id, email addresses, password, URLs, etc.
2. If it's electronic--I've been using Ilium Software's eWallet, on my smart phone and on the desktop--use a password for it, too.
3. Strong Passwords: The longer the better, and use a combination of upper and lower case letters, numbers, and special symbols, if allowed by the system. ("Shift-Fkeys. !, @, #, etc.)
   
4. DO NOT use easy-to-recover dates as part of your password.
5. DO NOT "dictionary words".
   
6. You CAN use numbers and "special symbols" to change words. 'Way back when I was a kid, some (other) clever kid in my neighborhood had the epiphany that 4377 is "hell" upside down, sort of. Use the "@" sign for either "a" or for "at". Use "!" for 1 (numeral one), or l (lower case "ell"). "$" is "ess", obviously.
7. Depending on what method you use for recording your password, you might want to make a note as to which characters are "ones" and which are "lower case ells."

At the Salt Mines, we have a variety of computer-based systems, for email, HR, training, payroll, and I can't remember what else. Almost all of these systems takes it's own, discrete, password. The passwords all expire, and the "half life" of each system's passwords is differant. This can be a real headache, requiring people to remember all sorts of differing passwords; since some of them are set up to use to access telephone systems, those can't use special symbols, either. This leads to frequent "begs" in the suggestion boxes to set up all these sytems with one common password.

Trying to explain to people that this would be poor security is futile. Probably would be even after their identity got stolen, or they were found to have allowed unauthorized personnel access to the system.

Here is a link to the Wikipedia article on Leet, or 1337, or Leetspeak, which is an Internet argot that can be useful for devising strong passwords.

Another article on "Choosing Good Passwords."

*I'd call them "lessons learned", but I already knew them. Except for #7, which I learned the hard way a week or two ago in another minor household fiasco...