Rights & Money

Strengthen Your Password Strategy

A sound password strategy is a critical element in your protection against cyber criminals.


By Olev Edur

Photo : iStock/filistimlyanin.

Your passwords are your first line of defence online—the key that can unlock the vault and allow criminals access to your secrets and treasure.

“The more we use cyber technology, the more we create a digital footprint that can be exploited,” says Ritesh Kotak, a Toronto-based cyber security expert whose clients include the Toronto Police Service. “But creating an effective password strategy can be a challenge.”

For starters, Kotak advises against using anything that is recognizable. “Don’t just use words or names,” he says. “Passwords should be complex and contain a combination of upper- and lower-case characters, numbers, and symbols. Avoid dictionary words—the more random, the better.”

Don’t use the same password on all the websites you visit. “Having different passwords for different sites is even more important than complexity,” says Andy Ellis, the chief security officer for Akamai Technologies in Cambridge, Massachusetts. “If you use the same password on Amazon as on other websites and Amazon also has your credit card number, any hacker can get access to that card number once he or she has discovered your password on another site. Don’t reuse your passwords and, in general, try to minimize the information you send to people.”

Change your passwords periodically. “You should have good strong passwords on your phone and computer, and you should change them every three months,” says Daniel Tobok, the chief executive officer of Cytelligence, a Toronto-based cyber security company. “It may be a pain, but it will save you from some crazy stuff in the long run.”

Yes, effective password management can indeed be a pain. Not only do you need to write down each password for each website, but you need to keep track of all the changes. There are, however, some ways to make it easier for yourself. For example, Ellis suggests, use the “password vaults” that come with some browser programs: “Should you save passwords when prompted by your browser? It’s a good idea—Safari and Chrome, for example, use really good security models to protect those passwords.”

However, while Kotak agrees that these browser vaults are secure because they’re encrypted, he cautions against using any of the recently introduced apps that supposedly handle all your passwords for you. “You should avoid these new ‘password keeper’ apps that say they will take care of all your passwords for you, because they can be easily hacked,” he advises.

Even if you use browser vaults, though, you still should keep track of what’s in there, for reasons that go beyond security. “One key issue, especially for seniors but really for everyone, is how to provide access to your next of kin,” Ellis says. “Keep a folder with all your passwords and put it in your desk drawer or somewhere else that’s accessible. If you have a safe or a safety deposit box, file your passwords with all your other key information. Otherwise those accounts and websites will all be locked and your family may not be able to access them.”

Getting back to security, some organizations—notably banks—are also now offering two-step verification, and all three advisors say this is an exceptional and almost hack-proof solution. “When you go to access your account, you are sent a text message or e-mail with a digital code that is always changing,” Tobok explains. You must key in this code to access your information. It makes it 10 times harder for criminals to penetrate.”

“If anybody offers you two-step verification, you should always sign on for it,” Ellis says, “especially when it comes to bank accounts.”

And yet more help is on the way. “A lot of great things are happening with mobile apps,” Kotak says. “For example, there’s a lot of work being done now on biometrics—fingerprint or facial identification technology. The iPhone is now available with facial or fingerprint identification, and there’s no way around that.”

Finally, Kotak offers one further suggestion for strengthening your security. “People can use your e-mail to get passwords, so use more than one e-mail address,” he says. It’s all about diversifying your risk, and one way to diversify is by using perhaps two e-mail addresses—one for your personal connections and another one for your banking. I personally use three e-mail addresses—one for work, one for apps, and one for personal stuff. The more you diversify your defences, the harder it is for the bad guys.”