Wednesday, June 13, 2012

Password Security - Part 3

After reading my last post, hopefully you figured out all the passwords you have and entered them into a program like KeePass.  For me, when I collected them all in one place, I was surprised to realize I have almost 100 different sites with passwords.  The next goal is to group all these different sites into categories.  At first I didn't know what the different categories would be, I just had to look at what I had and logically arrange them.  Once I had the categories, I considered what level of security I wanted for that category.  I also looked at how frequently (or infrequently) I accessed the sites in that category.  To me, daily or weekly is considered frequent and monthly or greater is considered infrequent.  And lastly, I took into consideration where I access that site from.  The vast majority of the time I'm "surfing" the Internet from either my home computer or my work computer.  But what if I'm using a friend's computer, a computer in the library, Internet cafe, etc.  Do I want to be able to log in to my accounts from these less trusted sites?


Category:  Banking
Description:  This categories is pretty straight forward - it's banking, credit, and financial sites.
Security:  Highest
Frequency:  Infrequent (monthly at best)
Location:  Home and work only.  I wouldn't trust any other computer to log in to these sites.  I would hate for a virus or key logger to compromise my banking accounts.


Category:  Online Stores
Description:  This group is all the online stores I have an account with.
Security:  High - most of these sites store credit card info which I don't want compromised.
Frequency:  Most infrequently (many of the sites I only have a password because I needed to create an account for a one-time purchase), but a select few are frequent.
Location:  Home and work only.  I don't order things when traveling or from someone else's house.


Category:  Utilities
Description:  All of my monthly bills; e.g. gas, water, power, trash, etc.
Security:  High - utilities, like online stores, persist financial account info.
Frequency:  Infrequently (monthly)
Location:  Home only.  I'm not going to want/need to pay a bill from a computer other than my own.


Category:  email
Description:  Like many people I maintain several email accounts.
Security:  High - I consider email to be a very high security, probably higher than most people would.  Most email sites these days keep all your old emails.  That's a lot of personal info about me I don't want compromised, including emails from my banks, utilities, etc.  There is easily enough info in there to commit identity fraud.
Frequency:  Frequent (daily)
Location:  Anywhere - I would like the ability to log in and check my email from any computer; home, work, friend or family, strange computer in the airport, etc.


Category:  Social media
Description:  Although I don't have many, I have a few "social media" account.
Security:  Medium - whereas they don't have financial info about me, typically social media sites do have a lot of personal info which would be useful for someone trying to commit identify fraud.
Frequency:  Frequent (weekly)
Location:  Anywhere - Like email, I would like the ability to log in to social media sites from any computer.


Category:  Work
Description:  I have a small number of sites that I access for my job.  From a personal standpoint the security level should be low, but I'll bring it up to medium since some of the sites might contain company secrets.
Security:  Medium
Frequency:  Frequent
Location:  Work


Category:  Forums and everything else
Description:  I have tons of forums, bulletin boards, and other informational sites with accounts to.  Often times these are read-only, the site just requires you to create an account to access the info and/or download the files.  I consider all of these sites to be low security.  Do I really care if someone logs in as me to download trial software from VMWare?  No.
Security:  Low
Frequency:  Frequent (for some of the forums) and infrequent for many of the others.
Location:  Home and work only.  Most of these accounts are forums, and you can still read posts without logging in.  So I can still access them read-only from any computer, but I'm fine only posting from my home and/or work computers.



There you have it, a break down of the categories I came up with.  Each of my almost 100 sites fits into one of these categories.  In my next post I'll discuss the password scheme I've come up with to be able to access these sites while maintaining an acceptable level of security.

No comments:

Post a Comment