The most secure way to access personal, confidential information on computer systems and websites is to use variable passwords, passwords that are only good for a single login, a solution offered by OTPXS™.
However, if the organization you transact with only offers the use of a static, reusable password or Personal Identification Number (PIN), we recommend that you at least observe the following general rules.
Phishing & Spoofing
- Never tell anyone else your password(s) and never write them down
- Make your password at least 6 characters, preferably 8 characters or more
- Where possible use a hard-to-guess combination of letters and numbers and, where recognized, include both upper and lower case letters
- If the authenticating system allows you to, add any other characters you normally find on a keyboard, e.g. punctuations and symbols such as +, = etc.
- Avoid using the same password to access different systems and websites
- Change your passwords and PIN codes frequently
- Do not use information that is associated with you, such as a nickname, date of birth, the name of your spouse or pet, etc.
- Avoid using words that can be found in a dictionary
- Make sure your computer has a personal firewall and the most current anti-virus and anti-spyware software (see Resources). Update this software frequently.
- Many websites, including those from financial institutions, offer to "remember" your user ID by placing a login cookie on your computer. This way your user ID will be visible in the login box when you return to the website. A spoof website (see Protect Yourself) will not be able to display your user ID. A word of caution! Never accept an offer to remember you on a public or shared computer! Unclick the checkbox if a "remember me" option is pre-selected.
- The safest way to get to a website is to type the address (URL) in your browser and then bookmark it.
- Never respond to or click on links in unsolicited emails, especially those that are asking for personal information. Even if you do not provide any information, just clicking could enable criminals to install spyware that will record your keystrokes and capture the user IDs and passwords you use to log in to various websites.
- If you did click on a link in an email and you appear to have arrived on a website from an organization known to you that is asking for personal information, do not provide it. Instead, go to the organization's website by using your bookmark or by typing their website address directly into the browser.
- Financial institutions and many other organizations use secure communication protocols, meaning that all communications between their systems and your computer are encrypted. Use of such protocols are identified by the letters https:// before the URL and a closed lock symbol at the bottom of your browser window. Although this will not provide any protection against key loggers, make sure that the website you are visiting provides secure communications before supplying sensitive personal information. If the website asking for this information does not, use extreme caution.