posted: Feb. 27, 2010 @ 7:41a
I thought it would be useful to post a note about passwords and security, given how much of our financial lives are subject to a username and password.
Many of us are familiar with, and use, programs such as keepass, roboform, 1password, truecrypt, etc., which we use to securely store our usernames and passwords.
Some of these programs generate strong passwords as well.
One of the most common "weak links" in the security setup is the ability to reset passwords in the event they are forgotten. Institutions generally allow the password to be reset in one of several ways, and each of them usually involve answering a security question.
Sometimes the security question just pops up in the browser, and sometimes the security question is sent via a link to your e-mail account of record.
Answers to many security questions are easy to guess, especially if someone knows you. "Where did you grow up" "What is the name of your high school", etc. The strongest password in the world is not much of a defense against a "password reset" that requires the thief to "guess" your favorite food is "pizza" or that your mother's maiden name is "McDonald."
I suggest that people populate the security question answer field with another "strong" password generated by the password keeper program of choice. For example, "What is your Mother's maiden name?" gets filled in with "Th36Nx9E8VDiAW".
Another "weak link" is the username. Generally speaking, it is better to have your username also randomly generated, so that people don't easily fall upon your username and start hacking away at the password.
A third weak link to security is our e-mail. Many people use their general e-mail account as their username at their bank. That is dangerous because this provides 1/2 the key to get into the account and our e-mail accounts are usually easy to guess by people who know our names or guess our names. More importantly, our general e-mail accounts are often very easy to hack into because we use our names and because they are publicly available since they are used publicly. And e-mail accounts are generally easy to hack into (some easier than others). Remember, once someone has your e-mail account they can see everybody you bank with and then can try resetting passwords and hacking into your accounts knowing you have relationships with particular banks.
I recommend that financial sites should be linked to a "financial e-mail" account that is used only to open up and communicate with, financial institutions who were provided the e-mail address as part of the account activation process (or who have it because you just created it and updated your profile). Never use such an account to communicate with a merchant, family member, etc. This email account should also be something like Th36Nx9E8VDiAW@gmail.com (that is, use your software to generate a "strong" password and use that password as your username. The password for the account should also be a strong password, of course.
This last recommendation has the benefit of separating your "financial life" from your personal life, and also lets you provide in a letter, or will, an e-mail address to be checked for all of your finance-related accounts in the event you happen to die without an updated list of where you bank, invest, etc. Just put the password in the safety deposit box and your executor will be able to check through your e-mail without trolling through your personal e-mail, and they can then contact the banks to perform their duties as executor.
I know that many of us don't use a strong password for our personal e-mail, because we like to be able to remember the password without having to use a program to fill in the long random password. Opening a "financial e-mail" account will let you keep your current weak password and require you to use that password program to "remember" your banking email password when you need to do some banking.
There are many "tricks" to generating a strong password that you can easily remember, which I would recommend for even your general email account whether you use it for banking or not. For example, a telephone number with area code for the house you grew up in (heck, the original area code may have changed over time, making it that much harder to guess), followed by a character such as / or \ or *, and then string of letters (the first, second or third letter in each word in some phrase you like to use, like "Lord, deliver me from temptation" turns into "ldmft".
So there you have it, some very basic security tips that will go a long way to protect your accounts, and, incidentally, eliminate the "financial clutter" that your personal accounts are plagued with. Just imagine what it would be like to have all of the yodlee/mint e-mails, and bank statement and credit card statement e-mails only going to your "financial e-mail" account. If that seems like a pain, then at least make certain your personal e-mail account is not easily hacked, and is with a provider that does not let you easily reset the password or otherwise allow too many guessing attempts to log on to.