They form an important part of the suite of measures that you should be using to ensure that your sensitive information and financial details remain secure. However, it should be noted that they need to be used in conjunction with other security measures such as using anti virus and anti spyware products and having a firewall.
So, what makes a good password? Having worked in online banking for many years, my tips are as follows:
- Never write down your password, especially in a place that is in close vicinity to your computer.
- Don't use obvious number combinations for PINs, i.e. 1234, or your birthday.
- Similarly, don't use your name or that of a relative, or a pet's name, or your favourite sports team or rock band. In other words, try to avoid words that a fraudster might be able to guess from information he/she has gained about you. (Remember that fraud is sometimes perpetrated by people who are known to the victim).
- Use a combination of letters and numbers and symbols where this is allowed.
- The longer your password, the more secure it is likely to be. (Microsoft provide this guidance 'Each character that you add to your password increases the protection that it provides many times over. Your passwords should be 8 or more characters in length; 14 characters or longer is ideal.'
- Don't use the same password for all the sites you access. This increases your risk, and may even breach the terms and conditions of sites that you have registered for. e.g. If a fraudster set up a fake porn site and got you to enter a password, and they then successfully used that password to access and defraud your bank account, then the bank might not feel obliged to provide a refund.
Another thing that you may want to consider is taking two separate words and putting them together. e.g. Car and Spoon for a password of Carspoon, or even better have the oohs as zeros for Carsp00n. What you're trying to do is to avoid using single dictionary words that fraudsters may be able to set programs to crack.
Password management is very important too. If you periodically change your password, this further increases the security of your information. Many companies recognise this and require employees to change the password used to logon to work PCs on a monthly basis.
Another good security measure to look out for is sites who only ever ask for partial PIN or password. This further reduces the likelihood of a fraudster breaching your security. Most banks, for example, ask for partial PIN and/or password, and they normally present advice along the lines of 'Remember that we will never ask you to supply your complete password in order to access our internet banking service we only ever ask for parts of your password.' This helps to reduce the likelihood of people falling for scam phishing attacks.
Finally, you need to be able to remember the password. I could create a password of, for example, Fp8;73gh91 but my chances of remembering it would be about zero! If you need to write the password down, then that defeats the purpose of it. So, creating a good online password is about getting the right balance between usability (will I remember it?) and security (could a fraudster guess it?)
And you may also want to vary the level of complexity that you use depending on the nature of the website. For example, I definitely want a very secure password for my bank's online banking service, but I'm less bothered about an entertainment site (where I haven't had to enter any sensitive information) that sends me updates about gigs!
P.S. Sensitive information is typically seen as information that a fraudster could use to his/her advantage. It includes things such as your date of birth, mother's maiden name, etc. For example, these bits of information may be used by organisations when they're trying to validate that you are who you say you are ... so having them increases the fraudster's chances of impersonating and defrauding you.