I was reading with interest an article on Coding Horror about how people freely pass around usernames and passwords on the internet. The author, Jeff, used the example of Facebook which offers to search your email address book to see if any of your contacts are also on Facebook. The only snag is that you have to give Facebook your email address password.

I have to admit that I have done this once in the past when I was setting up my Facebook account - but I immediately changed the email password afterwards. I'm afraid I don't trust other websites with my passwords, no matter how trustworthy they claim to be. Maybe I'm just paranoid but I always have this "Big Brother" mentality (from 1984, not the stupid TV programme!) that my usernames and passwords are being collected in some huge central database for nefarious purposes.

So although I have used Facebook's service and others like it, I have always changed the passwords afterwards. You should too. It pays to be suspicious.

I'm not sure though about the merits of a centralised log-in system to do away with all the various log-ins that we currently have. Microsoft tried it with their now-defunct Passport system (now resurrected as Windows Live ID) but probably flunked because no-one wanted to trust Microsoft with that much sensitive information. The whole concept would collapse due to an issue of trust - who would run such a centralised system and can we trust them not to abuse it? I for one would be extremely hesitant to participate. I'd rather keep my encrypted password folder.

I've just had to spend the last hour changing all my passwords and encrypting them into my TrueCrypt vault, after multiple attempts were made by persons unknown to gain access to my email account, my bank account and my web hosting account. I've also had to stop using my public email address for all the various online services that I use, since using my public email address for signing in gives a potential hacker one foot in the door. If they know the email address then all they need is the password. But if I keep the sign-in email address secret then they have to find that out too which makes things a lot harder for them. Not impossible of course but one extra hoop for them to jump through.

I found out about the hacking attempts this evening when I logged onto my email and discovered emails from the various services saying there had been unsuccessful log-on attempts. Paypal in particular is very good about sending out these kinds of notifications. Knowing that I didn't have any password problems (plus I had been out of the house for the previous couple of hours), I knew that I had been the target of a hacker, or as I call them, "password sniffers". I also have other names for them but I'm trying to keep this blog suitable for all ages.

So the first thing I did was review my passwords and looking at them, I realised that they weren't really that secure. OK, I'm not stupid enough to use "PASSWORD" or "MARK" but at the same time, a determined dictionary brute-force attack would have got the passwords in the end. That's when I realised that I needed to secure the various online services with long unbreakable password strings. This includes :

• Letters - both upper-case and lower-case
• Numbers
• Special characters such as @ ! " # + ?
• A minimum 20 characters long but if you must make it shorter than that, no less than 15 characters long.
• No connection whatsoever to any personal detail of your life - so no birthdays, pet names, street names, names of your first sweetheart, anything like that. Keep the password totally impersonal.
• Changing the passwords every 30 days.
  

So a good password would be something like !$!@yStP5x@u1P!QD2!5

If you have to type the passwords in a text file or word document then make sure you have some kind of encryption scheme in place so the password file can't be cracked. Truecrypt is excellent but a more simple solution would be Locknote.

If anybody hacks a password like !$!@yStP5x@u1P!QD2!5 then they deserve a job at the National Security Agency.