And the Password Is...#%?@&!

How to recall your PINs and protect them from theft

Password? Sure, I know my password. My four-digit personal identification number for my credit and automated teller machine cards is my ex-wife's birthday. My eight-letter password, for computer log-ins and Web sites, is the name of the office's former FedEx driver. That's how it was, at least, until password hell broke out. More and more, even free Web sites make you register before you can get a peek. Now I count 49 passwords I have to remember, and some, such as the one that gives me access to my company's network, I have to change every 90 days or so.

It's enough to make me paste yellow stickies all over my computer--a violation of the No. 1 password security rule. But there's a safer and only slightly less convenient way. It's called a password manager, a piece of software that organizes all of your passwords and PINs and stores them in an encrypted file on your computer.

You can download hundreds of password managers from the Internet. Most cost $10 or $20 after a short trial, but some free ones are just as good and harder for hackers to crack. I looked at those and put together a shortlist of top-rated programs you can trust (table). One tip is to avoid password managers that store your data on their servers instead of your PC or are supported by advertising and are likely to monitor your surfing.

I have been using a program called Password Safe for several years. (Don't confuse it with PasswordSafe, which stores your list on its Web site.) It and other early password managers, such as Whisper 32, are rudimentary, but they do the job. You type in a title to identify each Web site, network log-in, or e-mail account along with the user I.D. and password for each one. The program encrypts the list and stores it on your computer.

To decode the list, you must use the key, which is another password. It's a good idea to pick a phrase instead of a word. Mine is 28 characters long, but it's the only password I have to remember. When you need a specific password, unlock the file and look it up. Click on the title and the password is temporarily stored in memory; a second keystroke or mouse click will paste the word into the Web site's log-in box.

Password managers have evolved over time so if you want more features, pick a newer one. With Access Manager or Oubliette, you can also store the Web address so you can go directly to the log-in page at the same time you retrieve your password. All of the programs will automatically generate hard-to-guess random passwords for you, such as 6sAH27f. That's handy for Web sites you rarely visit.

KeyWallet, introduced last year, is a more ambitious program. It can even create the list if you want, remembering each keystroke you type when you first log on to a Web site. On subsequent visits you drag and drop your user name and password to fill the log-in boxes. Apple computers come with Keychain, similar to KeyWallet.

Whether you use a password manager or not, here are a few tips for creating passwords: Because password-hacking programs often are based on lists of common words, don't use a word found in a dictionary. Don't use a word followed by two numbers. Don't use any part of your name, address, or birthday. Don't use the same password for more than one account. Use upper and lower-case letters, numbers, and such symbols as # and &, if you can.

If you use a handheld device, store your passwords there so the list is handy. Zetetic's Strip 1.0 or Yaps 2.5 from MSB Software are free password managers designed for the Palm. Wherever you keep them, be sure to have a backup, say, on a floppy disk. Or print out your list, scrawl your master password on it, and store it with your banking and charge-account documents. This will protect all your passwords against a computer crash, as well as your own failing memory.

By Larry Armstrong

    Before it's here, it's on the Bloomberg Terminal.