Although their purpose is to prevent unauthorized access, passwords are often the weakest link in protecting personal information and avoiding identity theft. Why? Many people have trouble remembering passwords, so they choose something they find easy to remember.   Unfortunately, a password that is easy for you to remember is likely also pretty easy for the bad guys to guess… and if you use that same password for your email and for your bank account, once it is cracked all of your sensitive information becomes accessible.

What constitutes a "good" password, and why are good passwords important? Passwords are a first line of defense against unauthorized access that can lead to identity theft. Just as you routinely lock your house or your car, it's important to lock down access to electronic assets.

When choosing a password, you should avoid using passwords that can be guessed based on information in your public profiles (there’s usually a lot more there than you realize), and to find ways of choosing something that a password cracking program is unlikely to generate. The use of combinations of capital letters, numbers, and punctuation characters decreases the likelihood that a program will stumble onto your password. Even better is to completely avoid using words found in a dictionary. How can you do all that and still remember your password? One approach is to think of a phrase, such as a title or a quote from a book or song, and then take the first letter or first two letters of each word in the phrase. That makes it easy for you to remember the phrase and reconstruct the password, but makes it very difficult for someone else to guess.

As for how to manage lots of these strong passwords so as not to share them across services, the best option for most people is to use a good quality password safe program. There are a number of these available, both open source (free) and commercial. Stay tuned for an explanation and review of password safe programs in a future article.

Epsilon, an email marketing company that sends email on behalf of many major companies, announced earlier this year that hackers had broken into their systems and accessed names and email addresses belonging to many of their clients. Although they stated that no other sensitive information was stolen (e.g. no account numbers or financial information), the combination of names and email addresses opens the door to targeted email attacks known as "spear phishing".

A spear phishing attack enables the attacker to spoof an email from a trusted service provider, using the customer name to further encourage the recipient to believe the message is genuine. The message will then attempt to trick the recipient into responding with further personal information. 

The list of Epsilon clients affected by the break-in is already long, and has been growing. The clients include a number of financial institutions such as American Express, Ameriprise Financial, Barclays Bank of Delaware, Capital One, Citibank, JP Morgan Chase, US Bank and Visa, as well as many major retailers.

What should you do?