June 2012 was a bad month for internet security. With one scandal after another, we all need to stop and think how safe we really are online.
On June 6, 2012, LinkedIn announced the theft of approximately 6.5 million passwords. The file containing the hashed user passwords was uploaded to a Russian forum by an unknown source. A day later, eHarmony, the online matchmaker, suffered a theft of 1.5 million passwords.
You may have a bunch of passwords, some you probably can no longer remember and others that you’ve been using for years. It’s a good idea to make sure your password strategy and practice are up to date. Here are a few great tips to help:
A password’s length should be at least 8 characters long, containing a combination of lower case letters, upper case letters, numbers and special characters, i.e. #%_, etc. A strong password is misleading to any attacker because it doesn’t give in to any recognizable pattern.
Here are a few examples for bad passwords that should be avoided:
• your own birthday (or any date which has significance for you)
• people’s names (or any other name like your dog’s)
• any personal information like your phone number, your license plate
• words or phrases from books, films, poems, famous speeches, song lyrics etc.
• dictionary words — words in any language that can be found in a dictionary or on the Internet
Also, an easy to detect password will contain dictionary words, with letters replaced. Avoid using simplistic words with some differing characters. Here’s an example of this practice:
That doesn’t leave much, now does it? Actually there’s still much to be used, just raise a notch on the creativity. Try using phrases or sentences and converting the order of the words randomly. Or think of an album you like by say, David Bowie. Abbreviate the name and add some more memorable features to it. So “The Rise and Fall of Ziggy Stardust” can turn into #tRAfoZS
Using the same password for a few of your accounts is not a smart move. It means one site’s breach can turn into a bigger mess for you. Make sure you keep a different password for every account you have. When password thieves obtain passwords, they sometimes trade them with other people via underground bulletin boards, after which they’ll test whether user credentials–username, password–for one site will work on another. Last year, for example, Sony had to lock 93,000 user accounts after it suffered a data breach involving the usernames and passwords of its customers. The exploit appeared to involve a great number of credentials stolen from third-party sites, and reused by attackers who logged on to people’s Sony accounts.
Changing your password once every six months is an important practice to adopt. Some services, such as online banks, demand that you change your password at regular intervals, and this is a habit you should warmly adopt. Changing your passwords every once in a while may spare you lots of future trouble.
Websites that email your password back to you when you request it are really not helping your safety efforts. If you simply archive those emails or let them sit in your mailbox, they can easily be subject to theft. Anyone with access to your email can simply search for “password recovery” and gain access to locations of your online life.
To start with, clean out your mailbox. Search for all the emails you have with passwords listed and press Delete. If any other site sends you an email with a password upon your request, change the password on that account and delete the email.
Password managers typically include built-in strong and random password generators. They will store your passwords in an encrypted state so you don’t have to depend solely on memory. Even better, many will synchronize your password lists across every PC, smartphone, or tablet that you own and in our day and age, this feature is indispensible.
For recommendations on password managers, have a look at Lifehacker’s list of the top 5.