On the Kaliber Web Site I recently linked to an article from the New York Times technolgy feed which discussed how Twitter’s coporate email accounts on Google Apps were hacked: http://www.kaliberdatasecurity.com/newsdetails.php?id=11

So what simple things can be done to protect our information with so much of our lives and data being stored on the web?

The first thing I recommend is that you use a separate password for every site and web service that requires you to provide credentials. While that may initially seem to be a daunting task, here is a suggestion to ease the burden and to comply with most password strength rules:

Construct a 9 character password with the following 3 components: 4 characters, a punctuation mark, and 4 numbers. The first 4 characters should be a nickname for the website: e.g., face for Facebook, twit for Twitter, bofa for Bank of America, etc. The punctuation mark should vary based on the type of account ‘$’ for financial accounts, ‘)’ for social networking sites, ‘@’ for email accounts, etc. The 4 numbers can be the same for all of your accounts but pick some non-personal code. Do not use your birthday or your birth year of the last 4 digits of your phone number. Pick a random set of 4 digits and stick with them. Finally, as most passwords are case sensitive, always make one of the first four characters uppercase (say the third.)

With this method and assuming your 4 digit code is 1111 (also not recommended) your passwords might look like:
boFa$1111 for Bank of America; twIt)1111 for Twitter, etc.

The main reason for having separate passwords for every system is to limit a hacker’s ability to use a discovered password on more than one site.

There still remains, however, an additional outstanding issue. That is, how should you answer the security questions that most websites provide to help recover lost passwords. As the NY Times article discusses and as was the case in the hacking of Sarah Palin’s email during the 2008 presidential campaign, hackers have been able to change the password by answering the recovery questions correctly.

The best websites, allow you to ask and answer the questions. If that is the case, create a question for which the answer is not in the public record. For example, your High School mascot can be fairly easily obtained. Your favorite babysitter’s name, less so.

Some websites, offer a large list of questions for you to select as your recovery questions. Again the trick here is to choose the questions for which your answers are least known to anyone but yourself.

Finally, for those sites which have not caught up and still ask basic questions like Mother’s Maiden Name. The best strategy is to provide false information. But, of course, now you have to remember that data. So pick a strategy that works and remember it.