Monday, April 27, 2009

4 Methods To Handle Passwords Safely Over The Net



 
 

Sent to you by Hemi via Google Reader:

 
 

via MakeUseOf.com by Daniel Pataki on 4/13/09

Nowadays I think many people are over-obsessive about security online, but in some cases it is more than warranted. Remember when Make Use Of was simply stolen from under us? Gmail security flaws, website design problems, you name it, the user doesn't necessarily have to be at fault all the time, but we have to keep and even send passwords a lot of times, so here are a few ways to do it quickly and securely.

Text Tricks

This is a manual way of sending passwords and it can be the safest if used well. It can be especially helpful if you work as a freelancer and have phone or Skype contact with your clients.

You simply tell them how to decode your password. In an email, you could tell them that the password is "g7H1k-5t", but on the phone, or maybe through a separate service you can let them know how to modify this to make it the real password.

For example, one algorithm would be to change the case of the letters and deduct one from the numbers. In this case the above password would be "G6h0K-4T". This is way sufficient, maybe even too much. The thinking here is that hackers who get your data from your email probably aren't brute force hackers. If they find a password they'll try it, if the pass is for your Paypal account they might try a few variations, but they'll give up quickly, and search for other targets instead.

Using Multiple Or Unique Contact Channels

One of the most effective defenses against password theft and exploitation is to separate your dealings into multiple channels. You can send the first part of a password using email, the second part through a private Twitter message, an IM session, or even on a phone call.

Using your phone alone would probably be the safest choice here, since I am guessing there are very few hackers who try to listen in on your calls, especially if done regularly, not over the internet. The idea in this method and the one above is to give hackers a run for their money. Hackers choose easy targets over hard ones obviously, so if finding out your password would take them hours and hours, they will probably switch to other targets.

Another method you can use is a simple SMS, or if you're really freaky about security you can snail mail a password using DHL overnight (I think that's a bit overkill). There are a lot of channels which can't readily be monitored, heck, if the person lives close enough use smoke signals or just go to his house and tell him personally.

Privnote

Privnote is a great online service, which lets you send self-destructing messages, Mission Impossible style. Once someone views your message it cannot be retrieved because it is deleted from their database. Enter the password, send the link to the person you need to show it to, and once he/she views it, no-one else will be able to.

This service is fantastic because it allows for verification. You can also opt to get a message when someone views the note, so you can drop the client a quick email for example, if it was indeed him/her. If it was great, if not then you can revoke/change the pass.

Possibly a better way would be to send a password which is not yet active. If the person verifies that he/she has seen it, you can implement the pass, if not you can just add a new one.

Use Images Instead Of Text

Using images instead of text might be an effective defense against many hackers. This method is widely used to protect email addresses shown online from scrapers, but you can use it in your emails as well. If you have thousands of emails a hacker will probably search for the word "password", but if you take care not to write it down, they won't find anything.

Instead of writing "your password is gk7-wero8(." you can create an image with the same text. The advantage here is that while code can be parsed automatically, images can't. Or rather, they can, but there is no hacker out there who is going around parsing images on sites for passwords I think.

Use Throw-Away Email Addresses

Throw away email addresses are very safe because once the time is up, the account just doesn't exist any more.

MeltMail is a solid service you can use to create email accounts which can expire in as soon as 3 hours, or up to 24 hours. If working with clients or friends this is usually more than enough, so hackers won't have a chance to respond and probably even if they monitor your email.

You can also use Mintemail, which is quite similar, but it generates random email addresses, and random usually means greater security. You can also set up some forwarding, and in case of Mintemail you can opt for a 1 month duration.

We have a lot of stories on MakeUseOf tagged "password".   Why not take a look?   Do you have any other ideas for how to protect your passwords on the net?  If so, let us know about them in the comments below.

Categorized under: , , , ,

Related posts


 
 

Things you can do from here:

 
 

No comments: