1. Use different passwords for different sites

You should have at least 3 different passwords:

1. E-mail Account

This account controls all your other accounts so protect it as much as you can. All other accounts can be accessed or reset if someone has access to your email.

2. Bank/Financial Accounts

These control your money so use a different password for these than for the rest of your accounts. In addition, you may want to keep your credit card account passwords separate from your bank accounts.

3. “Fun” Account

These may not be vital to your survival (unless you are a facebook addict) so a password compromise here may not affect you too much. In addition, these sites may not store your password as securely as the bank accounts so you don’t want this password being the same as the other accounts.

A good way to generate passwords is to contain some sort of “base” and add some prefixes or suffixes to it in order to come up with the password for the various sites. For example, I can have my base password be “orange”. For financial sites my password will be “orangeFIN22″, for my email it will be “orangeE33″, etc. Then you don’t have to remember an entirely different set of passwords yet they are distinct enough to avoid compromising all your accounts with a stolen password.

2. Don’t trust web sites that are able to send you your password over email

If a website is able to tell you what your password is, it means it is storing it in the database as either the password itself or through a transformation that is reversible (a becomes b, b becomes c, ..). This means that the site knows what your password is and can be easily accessed by employees of the site or anyone that has access to the database.

The proper way to handle user passwords is to hash it (one way map) immediately to some obfuscated characters and store those in the database along with an additional field that ensures each row is hashed differently. Then when a user logs in, the site will do this one way map and compare the result against the value in the database; omly if they match is the user logged in.

If you are interested in hashing, take a look at http://bretm.home.comcast.net/~bretm/hash/

In addition, people have come to expect to be able to add you as a friend after they’ve met you and rejecting them may be construed as anti-social. Imagine a recruiter not being able to look at your information on LinkedIn or a potential date not being able to look at your interests or photos on facebook – you will be missing out on opportunities.

How is one supposed to play this game where you want your information both hidden and shared? My solution is to embrace this lack of privacy: integrate yourself into as many social networks as you can, start a blog, post on various forums, publish your photos on Flickr, and so forth. By being famous (if only on the internet) you will eliminate a lot of the adverse effects of having your information public. You will have enough of a community to support you in case anything goes wrong and you can stop worrying about your information being shared.

How often does Bill Gates worry about his identity being stolen?