Arun Marballi

Last month, I addressed how we should mold our online behavior for avoiding the numerous cyber-mines we encounter during our passage through e-mail and Internet wonderland. This month, I want to touch on a topic that I believe is extremely important from the security and safety point of view � identity management.

In these days of rampant identity theft, it is important to recognize that our online identity is comprised of one or more usernames and the associated passwords. Over the last year or so, the number of Web sites that require a sign-in have steadily increased. The sign-in requirement has major marketing implications for these Web sites since they now have an audited track of who visits their site and which pages they view � not to speak of the resulting perception of security. The imposition of a username and password is in itself not a bad thing but when you have 10 to 15 (possibly more) sets of usernames and passwords, it becomes somewhat unwieldy and unmanageable. How then can we make this easier and less confusing? It is easy to standardize on the username since many Web sites make it convenient by forcing the username to be our e-mail address. Other sites allow us the flexibility to setup a username of our choice and for these the left side of the e-mail address is one idea. It is a good idea to employ the same username in all places as far as possible since this eliminates any guesswork.

If you think of the username as a locked door, the password is then the key for that locked door. The level of secrecy typically associated with the username is not high. The password on the other hand is entirely another story. We want our �key� to be confidential, as difficult to copy as possible and impossible to guess. In general passwords should be at least 6 characters in length and a mix of uppercase/lowercase alphabets as well as numbers. Use of special characters such as !, $ and # (if allowed) make the password more difficult to guess. We should never use names, birthdays or birth-signs in the passwords by themselves � they are too easy to guess.

A good tactic for constructing a password is to write a sentence containing six to 10 words and numbers. If possible, include some proper nouns as well. Consider the following example � �My daughter Roshni was born in 1991.� Now, using the first letter of each word and the number as is, we can generate a password �MdRwbi1991� � a completely unintelligible string of characters and impossible to guess. To remember it, all you have to do is commit the sentence that means something only to you, to memory. The idea is simple the possibilities are endless.

Now, should we use the same password for accessing all Web sites that need a username and password? Most certainly not! One strategy is to group the Web sites according to their sensitivity into three groups. The highly sensitive ones such as banks, employment records, retirement accounts, investments and brokerage accounts I include in Group 1. E-mail accounts, health insurance and credit cards I include in Group 2. All other miscellaneous Web sites that we go to such as retailers, travel sites and the like I include in Group 3. Set up a separate password as indicated above for each Web site group. Another strategy is to adopt a scheme such as including the first three letters of the Website address (following the www) as the last three characters of the password we generate with a sentence as described above thus literally establishing a separate password for each Web site.

These are general guidelines for managing our identity in the online world. You can creatively adapt these to fit your needs.

Arun Marballi has worked in the Information Technology arena for more than 20 years with extensive experience in software development, process design and network/workstation management. For comments, questions, tips or suggestions, e-mail [email protected].

Home