Simple services let you keep Web passwords safe

We've never met, but I already know you're a lot like Sarah Palin.

You're not the Republican vice presidential candidate and the governor of Alaska, but you've almost certainly got a free Web-based e-mail address, one of the millions doled out by Yahoo Inc., Google Inc., Microsoft Corp., and many Internet companies.

Palin relied on Yahoo mail, and look where it got her. Last week, a clever hacker figured out a way to reset her password, giving him complete access to her mailbox. Granted, the contents were hardly scandalous, but it's the principle of the thing. The security breach was especially galling because so many people use Web-based e-mail accounts as digital attics. We e-mail ourselves documents and photos we can't afford to lose, trusting that Yahoo or Google or Microsoft will keep them secure.

So much for that fantasy. Especially since most people choose passwords that are all too easy to steal. According to Sophos Inc., a data security firm in Boston, 41 percent of people use the same password at every site they visit. If a bad guy guesses his way into your Yahoo account, your online bank account may be next.

But passwords can be an effective security measure, if you follow three rules. First, pick bizarre passwords, like "q09jcxdtb4" - something nearly impossible to remember. Next, use a different, equally bizarre password for each online account. And finally, don't write them down - memorize them all.

Impossible, of course. Unless you use a product or service that stores your gibberish passwords in one location. Then you only need to memorize one of them - the master password that unlocks all the others.

There are plenty of products that will do this work for you. Perhaps the best-known is RoboForm from Siber Systems Inc. It's software that creates a kind of digital safe on a computer. Set it up, then type in the user names and passwords for your favorite websites. Now you can give these sites the most incomprehensible passwords possible, because RoboForm will remember each one and automatically type it in at a password prompt. If your imagination fails, RoboForm will generate dreadful new passwords that nobody could possibly guess. RoboForm sells for $30 at www.roboform.com. A free version can be downloaded, but it's limited to 10 passwords.

But what if you're on the road, logging in on someone else's computer? A version called RoboForm2Go installs on a USB thumb drive. Plug it into a PC, and the software fires up and provides your passwords. Alas, the USB version runs only on Windows PCs, not Apple Macintosh or Linux computers. Besides, many businesses block access to their computers' USB ports as a security precaution, so RoboForm2Go may not work at, say, a public library.

So if you're traveling, you might prefer an online password storage system. There's a versatile and powerful one at www.passpack.com. The free service, run by a firm in Italy, offers an almost obsessive level of security. It requires a very long password to set up an account - Passpack suggests you use a complete sentence, like "What time is it in Rome?" Users must create a second sentence to unlock the online password stash. There, you can punch in an unlimited number of passwords, and access them online. There's also a program that stores a backup copy of the passwords on your personal computer.

By the way, if you forget the RoboForm or Passpack master passwords, you're hosed. There's no way either company can retrieve them. And while Passpack vows to store your data in encrypted form so not even the company can read it, you're still taking a risk by putting passwords online. If a bad guy cracks their system, there's always a chance they will find a way to read your data. With RoboForm, you hang onto your data, making it the more secure choice.

While secure password storage is a good idea, it wouldn't have saved Palin's e-mail account. The bad guy tricked Yahoo into letting him change her password. It's so easy, any of us could do it.

First, enter the victim's Yahoo username - it was the dead-obvious "gov.palin." Next, ask Yahoo for a new password for the account. Yahoo asks a "secret question" to verify your identity - in this case, where Palin met her husband, a fact widely reported in the press. Once the hacker typed the answer, Yahoo let him create a new password and take control of the mailbox.

Yahoo's password reset system is easy to game, because its secret questions are too simple - what was your high school mascot or your favorite sports team, for instance. A diligent bad guy can easily guess such stuff, or even find it through a Google search. Speaking of Google, its Gmail system is better than Yahoo e-mail, because it uses tougher questions, such as a library card number. Gmail also lets you make up a personalized secret question, like the names of Uncle Bob's rottweilers. This means that with a little effort, you can easily make your Gmail account more secure than Yahoo e-mail.

But you can upgrade password security at many sites by following this cynical suggestion from Sophos chief technology consultant Graham Cluley: Always answer secret questions with lies.

Your mother's maiden name is a matter of public record. If a site asks for it, don't tell the truth; type in Mahmoud Ahmadinejad. Or if it asks the name of your first school, say it was Sing Sing prison. Precisely because these answers are so absurd, no hacker will ever guess them. And with a few keystrokes, you'll have made your online accounts far more secure than Governor Palin's.

Hiawatha Bray can be reached at bray@globe.com.