By protecting your digital IDs, you can prevent unauthorized use of your private keys for signing or decrypting confidential documents. Make sure that you have a procedure in place in the event your ID is lost or stolen.
When private keys are stored on hardware tokens, smart cards, and other hardware devices that are password- or PIN-protected, be sure to use a strong password or PIN. Never divulge your password to others. You should not write your password down, but if you must, store it in a secure location. Keep your password strong by following these rules: Use eight or more characters; mix uppercase and lowercase letters with numbers and special characters; choose a password that is difficult to guess or hack, but that you can remember without having to write it down; do not use a correctly spelled word in any language, as these are subject to "dictionary attacks" that can crack these passwords in minutes; change your password on a regular basis. Contact your system administrator for guidelines on choosing a strong password.
To protect private keys stored in P12/PFX files, use a strong password and set your password timeout options appropriately. If using a P12 file to store private keys that you use for signing, set your password timeout option so that your password is always required (this is the default behavior). If using your P12 file to store private keys that are used to decrypt documents, ensure that there is a backup copy of your private key or P12 file so that you can continue to open encrypted documents should you lose your keys.
The mechanisms used to protect private keys stored in the Windows certificate store vary depending on what company has provided the storage. Contact the provider to determine how best to protect these keys from unauthorized access and for backup purposes. In general, you should use the strongest authentication mechanism available and should seek to require a strong password or PIN when possible.
If your digital ID was issued by a certificate authority, immediately notify the certificate authority and request the revocation of your certificate. You should also stop using your private key.
If your digital ID was self-issued, destroy the private key and notify anyone to whom you sent the corresponding public key (certificate).