logo

Managing Online Passwords

Thanks to all of you for the overwhelming response to last Thursday's quest to find suitable names for my abundance of equipment. I will let you know what I've decided on tomorrow...

There's a discussion on Webmasterworkd at the moment about how best to manage multiple passwords. Something I like to think I've got down to a fine art. I have three passwords I use. An easy one, a not so easy one and a very hard one. They are used for sites I don't care about (online newspapers etc), sites I care a little about (notes.net etc) and sites I really need to keep secure (online banking etc) respectively. They are also of increasing complexity and all are mixtures of letters, numbers, uppercase and lowercase.

In only having three passwords the only hard part then becomes remembering the sites I am actually a member of and what username I used. To do this I have a secure Domino database hosted on this server. In it there's a list of sites that record the web address, the username/email address nedded to login with and which password I used (Easy, Medium or Hard). It works for me anyway.

Knowing how best to manage your life online is a case of learning by painful experience. This is especially true of Spam. After 7 years with some sort of email address I think I also have this one under control and hardly get enough Spam to warrant complaining. It's not easy though and it sometimes takes drastic measures like surrendering old addresses. Last week I cancelled a 6 year old Demon SDU account and moved to a .Mac address.

Key to this are a few rules to follow. Never post to newsgroups and never give your address to sites that you don't trust or don't really feel the need to be kept in touch with. Instead use a throwaway account. I have two. One with Hotmail and one with Yahoo. The Hotmail account I never check and the Yahoo account I check every week or so. Give these addresses to those sites that insist you tell them your email address when there is no reason whatsoever they need it.

Later: I just remembered something that happened last year. A company we've probably all heard of leaked addresses to spammers. Which just goes to show, you really can't trust anybody. For a week or so I was receiving the most offensive of Spam offering underage p0rn abut two or three times a day. For the last nine months or so I've been having these mails automatically redirected to their CEO's address.

It turned out that, apparently, their SMTP server had a trojan virus that was intercepting all outgoing mail and recording the addresses. Whatever the reason I hold them fully responsible and am not afraid to say so. They said the CEO was going to issue an apology. I never saw it. I think I was the only one who noticed!

Comments

    • avatar
    • Tom Quinn
    • Sun 2 Nov 2003 08:44

    I use whisper {Link} and just keep my whisper file centrally so I can grab it from whichever client site I happen to be working at. I also have a throwaway account but tend to just put the email address abc@xyz.com for those sites who *should not* require an email address. I also actively block cookies as well now - which is a real pain but hopefully worth it long term.

    tq

    • avatar
    • Ken M
    • Sun 2 Nov 2003 08:52

    You can go a step further with your userid and password database by adding a quick agent that creates a simple HTML form with a post action, which will automatically log you in. You can then save this HTML form in your secure db, thus creating a secure 'favorites' db.

    I use this method when testing multiple users with multiple passwords, that way I don't have to look up users and passwords all the time.

    If anyone is interested, the agent is very simple and I can post the code.

    • avatar
    • Jake
    • Sun 2 Nov 2003 08:58

    Tom, thanks for the link. Problem with this is file management and sharing it with more than one computer/location.

    Also, if you use abc@xyz.com you have to consider that some poor soul actually owns xyz.com and will have to suffer your mail. If you really don't ant to use your own address use Privacy.net Stealth Addresses.

    Ken. Good idea. Send me the code and I'll see what we can do with that and the DB I already have. Will release it to all then...

  1. I've always used abuse@domain.com...

    meaning if I'm at codestore.net and you ask me for my email address for no reason, I'm using abuse@codestore.net.

    Let them deal with it! If it nondels so be it, if it routes then right back at ya!

  2. ThinkGeek.com has a handy little gadget you might want to try out:

    www.thinkgeek.com/gadgets/security/5a60/

    Helps you keep those passwords in check.. everywhere you go.

  3. Having your own domain is a handy thing. I always enter an email address on most websites. But I always make up the address so it contains a reference to the site that I am entering the address at.

    If I'm expecting the site to email me then I can still collect the message from my held queue. But if i start getting junk mail then I can tell which site gave away my address.

  4. Additionally... I configure my host to bounce any messages NOT to a valid address.. no 'catch all' account for me.

    Spam Assassin is the best spam measure i have found yet...

    • avatar
    • Mike Werner
    • Sun 2 Nov 2003 11:10

    Hi Jake,

    Another thing you can do to keep track of your passwords while not at your desk is sync your Notes database with a PDA. I do it with a Palm, and have the important entries marked 'Private'. That means unless I put in the Palms master password, they are hidden. It's great to keep all imprtant data with you (credit card numbers, passport number, etc etc)

    • avatar
    • d ritch
    • Sun 2 Nov 2003 11:11

    << To do this I have a secure Domino database hosted on this server >>

    For pete's sake, Jake! Probably not the best idea to advertise this bit of info, even if you believe it is 100% secure.

    And not to turn this into a full-fledged discussion board, but since we're on the topic: one big spam magnet I found out about the hard way was posting my resume to online boards such as Monster, etc. Immediately (literally, within a day) upon said postings about 1 year ago, my hotmail account that I use this for now gets about 90% spam (including various flavors of porno spams, as well as the typical mortgate, credit card, viagra, etc.). What do you do about resume-posting-induced spam?

    • avatar
    • Tone
    • Sun 2 Nov 2003 11:22

    Some web applications force me to use an email address that I can actually get at the emails to, by sending my first password to that address. I use throwaway accounts for this, or my "don't give a clang" account: tonywalters@totalise.co.uk. I clear out the reams of spam this one takes once every couple of months. My browngirl one (this one) is my proper one, but I've still managed to end up getting SOME spam to uit, about one spammail a day on average.

    I use privacy.net addresses for logging onto or entering my password onto apps that I don't need to use a valid address on.

    Before I knew about privacy.net, I was guilty of using fake ones I'd made up. Like Jake says, it's a bit unfair on whoever owns the domain you use. I used to use dave@dave.com, or dave@dave.dave for web applications without validation of TLDs. For those that wouldn't accpet a .dave TLD I did use dave.com. I apologise for this.

    Another one was arse@arse.com. I apologise for this too. Although I suspect it's just a porn site anyway, I can't remember checking and can't access porn from work (ahem, not that I want to).

    When I get spam from addresses that are actually real addresses, I have sometimes stung them back by using their real address to register with apps I don't trust. What goes around comes around.

    Jake once blogged or wrote an article suggesting the possiblilt of using an address @ thedomainname.com, where thedomainname.com is the domain name of the application you're registering with. This means that they get their own spam stright back, which also amused me as a concept.

  5. Never post to newsgroups??? - poor usenet, what did it ever do to you???

    More appropriate advice would be to suggest that a fake email address is used (eg, buggeroffspammers@diespammers.com) - having a real address and allowing people to discuss things off line defeats the purpose of usenet in the first place anyway.

    • avatar
    • Jake
    • Sun 2 Nov 2003 12:42

    Okay, the "don't post to NGs" advise was wrong.

    What you should do is setup your newsreader to post with a reply address of something like:

    jakeREMOVETHIShowlett@hotmail.com or

    jake@REMOVETHIScodestore.net or whatever...

    • avatar
    • Colin Williams
    • Sun 2 Nov 2003 14:54

    Jake - sadly this doesn't work all that well these days - the bots that gather email addresses from news posts do just that - REMOVETHIS to find the real address!

    Others suggest 'name at domain.com' but those pesky bots just fix that one too. I've recently seen people on usenet redirecting people to a web based form for comment submissions, not unlike this site...which reminds me, I need to do this on my own blog instead of publishing my email address - too late, the spam has started already *groan*!

  6. But what about ordinary websites? Loads of people have just posted their email addresses here in the comments form.

    One quick spider of the entire site would more then likely get me a good few addresses. What do you do in that case.. No more comments for Jake or leave out the email address. Why is Jake asking for them in the first place? Is he not guilty of asking people to break his own rules... ( ok i know it's not manditory but why ask in the first place )

    • avatar
    • Jake
    • Sun 2 Nov 2003 16:19

    Colin. They can't deal with everything. So you just as easily make it jakeHATESSPAMSODELETEALLUPPERCASELETTERS@codestore.net or whatever. Their Bots are only so clever.

    Declan. The reason I give people the *option* to leave their address is to obvious for me to bother explaining it. In a word - colloboration.

    I take my readers' privacy very seriously. Email addresses are displayed with some measures taken to prevent spambots being able to read them. Not 100% foolproof but then what is. View source to see what i mean...

  7. Personally I no longer get any spam. Why? Because I now have a Notes/Domino based filter that catches it all.

    Coming soon to a certain webblog near you.

    • avatar
    • Chris Melikian
    • Tue 2 Dec 2003 02:33

    I've used SpamCop for about 5 months now and find it's brought the number of spams down from 30+ to 2 a day. It's completely server-side, independent of my mail provider and only costs 30USD a year.

    I have 2 POP accounts, one public, one private. SpamCop pulls the mail from the public account, filters it and then auto-forwards it on to my private account which I access. My mail client is set up to show only the public mail account so no spammer will ever know the details of my hidden account!

    • avatar
    • Fabrice P.
    • Tue 2 Dec 2003 03:49

    "Colin. They can't deal with everything. So you just as easily make it jakeHATESSPAMSODELETEALLUPPERCASELETTERS@codestore.net or whatever. Their Bots are only so clever."

    Hi,

    I have lot of pbs with spam in the past because I put my email adress every time "they" ask me. Now, I don't use this email adress anymore, because I get about 5 spams (or virus mails) a day.

    I have used the technic above (e.g. fabrice@IFUCKTHESPAM!!!foo.com - remove slang before using this email...) for 7 months now and my new email adress is available in the bottom of all pages of my website.

    BUT, I get absolutely NO spam at all on this email, so this technic seems to be a good and simple choice.

    By the way, I have another "public" email on Yahoo, and I get very few spam since the have installed a powerfull (I think) spam filter.

    Regards from Paris,

    Fabrice

    • avatar
    • Brandon Z
    • Tue 2 Dec 2003 07:55

    Yeah, I have a .mac address for my private trusted e-mail too, but the problem is that a friend who uses a PC (recipe for disaster) got an Outlook virus (surprise, surprise!) and so I've gotten tons of spam anyway. (She had to have her son drive back home from college to clean it up for her, so we'll see if it goes away or if my address was leaked in the process.)

    Also, I've used by check-once-a-week address here and told people to put 'codestore' in the subject line to avoid getting things filtered. Well, apparently there are people who manually mine addresses, because I've started getting spam at that address with 'codestore' in the subject.

    I wonder when it will be time for wholesale vigilantism against spammers. The problem with that, of course, is that they may be mafia connected (or at least one major spammer in my area who has gotten slashdot and Detroit newspaper coverage has implied something like that in his threats to the photographer who tried getting pictures of his house). So any attempts to cut their lines and take down their servers could result in bloody retribution.

    So the solution, then, is probably better protocols that make spoofing nearly impossible. (Perhaps everyone should just switch to Domino for e-mail.)

    • avatar
    • Tone
    • Tue 2 Dec 2003 08:17

    "In a word - colloboration"

    That ISN'T a word, is it?

  8. Re. spam, I agree with Chris Melikian in his post. I used to use all kinds of address munging techniques, but I now prefer to leave all addresses open, and use the SpamCop filter (spamcop.net) in a Forwarding configuration (I have quite a few domains).

    It does a pretty good job, but I think the real benefit is that it works on two levels. Not only do the vast majority of spams get "held", but you can also make use of their sophisticated reporting tools. The goal is to get open relays blacklisted, spams flagged in a database, and domain admins notified.

    I think the benefit here is that you treat the problem on both levels... making it hard for the spammers to do it, and removing the crap from your inbox.

Your Comments

Name:
E-mail:
(optional)
Website:
(optional)
Comment:


About This Page

Written by Jake Howlett on Tue 11 Feb 2003

Share This Page

# ( ) '

Comments

The most recent comments added:

Skip to the comments or add your own.

You can subscribe to an individual RSS feed of comments on this entry.

Let's Get Social


About This Website

CodeStore is all about web development. Concentrating on Lotus Domino, ASP.NET, Flex, SharePoint and all things internet.

Your host is Jake Howlett who runs his own web development company called Rockall Design and is always on the lookout for new and interesting work to do.

You can find me on Twitter and on Linked In.

Read more about this site »

More Content