People rely on computers more than ever and are using them to manage finances and sensitive information. Although many internet sites are implementing features to protect us, unless certain basic precautions (such as changing passwords and keeping our passwords updated) are adhered to, their efforts are greatly undermined. I am trying to come up with some reasonable practices to protect myself an extra degree. I have drafted out some personal practices roughly based on the U.S. Government’s definitions of the different levels of classified information:
Top Secret
All data (the entire drive) is encrypted with a high level of encryption (private key with pass phrase, keys and pass phrases are periodically rotated.) In no way is the computer networked. All deleted data and swap files are wiped with 30 passes. Physical security preferred. Make no paper copies of information.
Secret
Sensitive data is stored on encrypted partition. Password protected, passwords periodically rotated. Data may be stored on portable devices and devices may be networked.
Confidential
Data on publicly accessible (Internet) servers, password protected and passwords periodically rotated. Servers are to only be accessed through channels known to be encrypted. Do not use public terminals or hot spots. All email with confidential information should be encrypted using public key encryption.
Restricted
On publicly accessible servers, sites do not provide option for encrypted channels but are password protected. These sites should only be accessed from networks that are likely secure. Due to nature of possible password interception, passwords are to be frequently changed.
Unclassified
Any publicly published information, not protected in any way.
General Habits: Under no circumstances duplicate passwords between levels, reusing passwords on the same level is acceptable. Avoid using public terminals and hot spots. Only use secure passwords (long, symbols and numbers, capital and lowercase) and don’t chose the option to “save passwords” unless you know that the passwords are encrypted, and then only at “Restricted” and below. Always keep the operating system and anti-virus updated with latest material from vendors.
Using this system you should only have to know at the most three passwords and a two pass phrases at any given time (and maybe 2 PINs (Voicemail and Debit Card)). I would think most people probably don’t even have anything they would need to keep ‘Top Secret.’ And one can enumerate their own information and accounts and decide what belongs in each level. I’d be interested if anyone would suggest any changes?