Convio's GetActive platform suffered a security breach a couple of weeks back that resulted in the compromise of some users' passwords.  If you'd like in-depth information, check out Allan Benamer's blog for a blow-by-blow account, but for most users the issue is simple: How can I make sure my password is safe?

In the case of something like the GetActive breach, the simple answer is, you can't. 

Here's how a challenge-response system generally works:

• Your account information, tied to a user name and password, is stored in a database. 
• The stored password is generally encrypted (if not, you should find a new system) by a strong piece of mathematics. 
• When you log-in to the system, by entering your user name and password, a piece of code takes the password you just entered, encrypts it using the same algorithm as when you set up your account, and compares the result -- which looks something like "ad39gk_g83k#fjeemktnd" -- to the encrypted password already stored in the database. 
• If the two match, the system knows the password you just entered is correct.

Note that the system never really knows what your password is.  That's good.

Sometimes, as is apparently the case with GetActive, a two-way encryption system is used.  Your password, as stored in the system, is still encrypted.  Anybody who gains access to the database will not be able to decipher your password. 

But stored elsewhere in the system is a key for doing just that. 

What happens if somebody gains access to the database and the key? Bad things. Remember when Rick Moranis finally found Sigourney Weaver?

Many service providers continue to use two-way systems, for the sake of convenience. Customers generally prefer having their actual password sent to them when they forget it, instead of having to reset it. 

The problem here is not a one-time security breach, as happened to a few GetActive users.  The problem is that many people, if not most, re-use passwords across different systems.  Losing your Yahoo log-in isn't a bad thing -- unless it's also the log-in for your online bank account. 

As long as this is the case, it's incumbent upon you and your organization to take precautions to secure your own and your clients' information.

First, educate yourself.  A good place to start is TechSoup's Healthy and Secure Computing program, which offers a workbook, best practice guidelines, even free webinars.

Education goes beyond just knowing what you should do in theory, though.  Start by asking, "How do my service providers store my user information?"

Then, come up with a password policy.  You can find decent guides to password creation here and here. 

What the guides don't mention, however, is perhaps even more important: use different passwords for different systems. 

Without revealing too much, I can say that I'm currently using at least 10 different passwords for my various accounts, structured such that I use my most complex passwords only for my most important and valuable information.  If you use variations on a theme, you don't need to be Garry Kasparov to remember them all without writing them down.

(Interestingly, while it's common wisdom that you should change your password regularly, this may be a myth.  According to a fascinating article by Prof. Eugene Spafford, this practice probably developed in the Department of Defense back in the days of unnetworked mainframes, when the main threat was a systematic brute-force crack, and simply never went away.)

While proper password use takes some extra effort, it's effort that will go a long way toward ensuring the safety of your, and your constituents', private information.