By Herb Weisbaum ConsumerMan contributor
updated 3/4/2010 7:49:32 AM ET 2010-03-04T12:49:32

Join a Web site and after you choose a password you’re normally asked to answer one or two challenge questions, such as your mother’s maiden name, the city where you were born or the name of your high school. Forget your password and you’ll be asked these challenge questions to verify your identity.

It seems secure enough, but it really isn’t.

“Those kinds of challenge questions were developed in the ’90s when it was assumed nobody but close associates would know what high school you went to, what year you graduated or your mother’s maiden name,” says Peter Cassidy, a security expert with the Anti-Phishing Working Group. “Now it’s very common to have all that information up on Web sites which are accessible to anyone with a browser.”

Just think about how much of this personal information you put on Facebook or other social networking sites. Anyone can snag this information and use it to answer those prove-who-you-are challenge questions.

So what do you do? Internet Security expert Linda Criddle, president of LOOKBOTHWAYS Online Safety Consulting, says if you are asked to set up a security question and the question itself is not secure – anything that’s public record or you’ve made public via the Web – you should lie.

“You don’t have to give a truthful answer when you register. You simply have to give an answer you’ll remember,” Criddle says.

When you set up the account, no one checks to see if the answer you provide is correct. You just have to use that word or phrase if you’re ever asked that challenge question.

Criddle’s advice: put down something that only you know. Answer “purple” or “apple” or “red Ferrari.” It doesn’t have to be the truth, just a word or phrase you’ll remember. What’s your mother’s maiden name? Red Ferrari. What high school did you go to? Red Ferrari. What’s your dog’s name? Red Ferrari. You get the idea.

The all-important, much-neglected password
Security is always a concern whenever you shop, bank, pay bills or do other important transactions online. And yet, many people use the most basic and insecure passwords. The threat of hacking has grown significantly in the past 20 years, but the most common passwords are just as easy to crack as they when the Internet was in its infancy.

The most common password back in the 1990s was 12345. Today it’s 123456. How’s that for progress?

Why are so many people careless with their online passwords? Why do they make them so simple that a beginning hacker can crack them?

“People pick passwords that are very logical and very easy to remember and that makes sense because we all have so many passwords today,” says Rob Rachwald of Imperva, a company that develops software to block hackers. “But it shouldn’t make sense because there are so many hackers out there trying to break into our online accounts.”

Imperva recently issued a report on the most commonly used passwords. It’s based on real-world data collected after a security breach in December of 2009. A hacker broke into a popular Web site,, stole 32 million passwords and posted them on the Web. Imperva analyzed that data and found that:

  • About 30 percent of the passwords were too short, six characters or less.
  • Almost 60 percent choose their passwords from a limited set of alpha-numeric characters. They only use numbers or lower case letters. They don’t mix it up.
  • Nearly half use names, slang words, real words or “trivial” passwords such as 12345 or qwerty.

The Imperva report says the combination of poor passwords and automated hacker attacks puts consumers and companies at greater risk than ever. The report concludes that a typical hacker today can break into 1,000 accounts in just 17 minutes. I find that frightening.

A good password is at least eight characters long, using letters (upper and lower case) numbers and symbols. It should be something that’s easy for you to remember but hard for the hackers to guess. How do you manage that?

“Think of your favorite word and maybe replace some of the letters with numbers or add some exclamation marks or some other characters such as dollars signs in there to break it up,” suggests Michael Green, a vice president at the security software company PC Tools. “If your password were free it could be Fr33.And then complicate it some more with the percentage sign at the end and an ampersand at the beginning.”

&Fr33% is a much more secure than free. It has more characters, upper and lower case letters and symbols.

You can also use a password algorithm. Take a common phrase, such as “This little piggy went to market.” Take the first letter of each word (mix up the case) and make the “to” the number 2. So you might have TLpw2M. Now all you need to do is add an extension. For Facebook it could be TLpw2Mbook. For eBay it could be TLpw2Mbay. And so on. With this system you have a root that’s secure, plus an extension that applies to that specific site.

When building your secure password don’t use phrases or numbers that are relevant to you, such as your home address, phone number or birthday. Don’t use common nouns or common sequences such as abc123 or 654321.

A reality check
Experts say you should use a different password for every site you visit. That way if you’re compromised in one place, you won’t be compromised anywhere else. And that’s sound advice. The more places you use the same password the less secure it becomes. But honestly, most people are not going to do that. Not even the ConsumerMan.

I have about110 accounts that require a user name and password. There is no way I’m going to create a different password for each of these sites. My brain hurts just thinking about that. So I wrote them all down on a piece of paper that I keep in my desk drawer.

CONSUMERMAN TIP: Never keep a list of passwords in your computer where a hacker could get at them.

I also follow the most important security rule: Use different passwords for my e-mail, financial accounts and e-commerce sites. You really want to guard that e-mail password because your e-mail is connected to all of your passwords.

“If someone has access to your e-mail account, they can break into everything you own online,” warns Michael Greene of PC Tools.

You’d be smart to change the passwords on your e-mail and financial accounts every 60 days or so. The longer you keep them, the greater the chance they’ll be compromised.

Yes, passwords are a pain. But for most of us, these little words and good security software are the two most important tools we have to keep the online scammers from making us their next victim.

© 2013  Reprints


Discussion comments


Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments

Data: Latest rates in the US

Home equity rates View rates in your area
Home equity type Today +/- Chart
$30K HELOC FICO 3.79%
$30K home equity loan FICO 4.99%
$75K home equity loan FICO 4.69%
Credit card rates View more rates
Card type Today +/- Last Week
Low Interest Cards 13.83%
Cash Back Cards 17.80%
Rewards Cards 17.18%