Online shopping and bill-paying are convenient. Keeping track of a dozen complex passwords, on the other hand, is the digital equivalent of herding squirrels. Here to help is Chris Trautwein, chief information security officer for (ISC)2, a nonprofit that educates and certifies information security professionals. Before we explore his three recommended approaches, let's get his least favorite out of the way: using the same password for all your accounts. Trautwein gives the popular one-person, one-password approach a devastating zero out of four stars. If hackers get that one password, they get them all. Don't do it. Here, then, are Trautwein's favorite strategies. Degree of difficulty: easy. If you can handle a desk calendar, you can do this.
It's in the vault
Trautwein says the most secure approach is password vaulting, in which you choose a master password that gives you access to an encrypted database containing all of your other passwords. Popular vaults include KeePass (keepass.info), which is available as a free download, 1Password (agilebits.com/onepassword) and RoboForm (roboform.com).
Many vaults can automatically fill in your password information when you're online, meaning that you only have to remember one (master) password.
Trautwein says he doesn't endorse any particular product, but, overall, he gives the vault approach four out of four stars for security.
Keep a list
Another popular approach is the password-protected Microsoft Word document or Excel spreadsheet, which gets three out of four stars from Trautwein. This option isn't as good as a vault, he says, but it's better than just about everything else. To create a password-protected Word document, go to the Word menu and look for options such as "information protected document" and "encrypt with password."
The old-fashioned offline approach — a sheet of paper that lists all of your passwords — gets anywhere from two to four stars from Trautwein, depending on who is using it. If you're a college student living in a dormitory with a lot of people who may have access to your room, keeping a paper record of your passwords isn't a good idea, he says.
But if you live in your own home with a trusted significant other, paper can be a three- or four-star solution. Make an unlabeled list with your accounts and your passwords and put it somewhere secure, such as a safe or an unlabeled folder in a file cabinet.
Whichever approach you take, Trautwein wants you to consider these tips:
• Choose passwords of eight characters or more, each with upper and lower case letters, at least one number and at least one special sign (%,$).
• Change your passwords every 90 days.
• The safest passwords don't contain words, which are vulnerable to hackers using tools that churn through every word in the dictionary.
To make passwords more manageable, consider using a phrase as your starting point, he says. For instance, a Detroit Tigers fan might start with the phrase "Miguel Cabrera was the MVP," then take the first letter of each word (capitalizing where appropriate) to come up with MCwtMVP. Add a jersey number and a special sign and you have MCwtMVP.24.