Writing from the nation's capital, this blog explores technology, telecommunications, national security, policy, and their impact on people, with an occasional rant.

Tuesday, March 30, 2010

Of passwords and online security

Here's something you really should think about.  I know that many people use a simple password--anything from a word to just numbers, or even a word plus a number.  This is common knowledge to security specialist and bad-guy hackers alike. Late last year, tens of thousands of Hotmail, Yahoo, and Gmail users were hacked through phishing attacks.  These break-ins were enabled in part due to easy-to-guess passwords.  There are automated ways bad guys can try to guess your password which take much less time than your log in process. 

What can you do?  First, read this and start applying the recommendations.

Specifically, take the following steps now.   Especially, make these changes if you think you passwords might be compromised or could be.
  1. Change any passwords for sites that access financial info or other sensitive stuff (information you store on line, commercial sites which have your credit card #, etc).  This might include google/gmail, yahoo, amazon, depending on the services you use there.  (look here to see how much google stuff you use https://www.google.com/accounts/ManageAccount
  2. Make sure your bank/investment passwords are STRONG and are not the same as other passwords.
  3. Don't use exactly the same password at each site, especially if they use the same user name.
That's the end of your security triage.  You will likely be safer after these steps, and if you do nothing else, you should be ok. (If you use Wi-Fi, then you need a really strong WPA passphrase too.  Read about this in Security Now episode #13)

You might ask, what is a "strong" password?  Well, in general it should contain 10+ characters and include letters fo both cases, numbers, and symbols.  It should not be a word, name, string of number, or date.  An easy way to develop one is to pick a sentence, phrase, or similar and use the first character of each word.  You could use a line from a movie or book, Bible verse, a quotation, or a saying. Then modify it somehow, perhaps by adding symbols, number, or interchanging letters.  This technique is known to hackers, so if you use a well known sentence and just take the first letter, it may already be in a cracker's list of passwords, just like Pa$$w0rd1 is.  For example, "In the beginning, God created the Heaven and the Earth" could become ItbGctHaE.  Maybe start with 1:1 and replace a with &, but that's pretty simple too. But you'd have to get some numbers and symbols in there too.  That is the basis for a strong password.  Oh, and you can't use this one anymore, because its now out in public.

Now go change your passwords. 

To learn more, the DOD has a pretty good one page summary on protecting computers and your information.  It summarizes the threats which are out there and can effect you.  Stealing passwords and accessing your accounts is just one thing that can happen. You can read it here:

This stuff does really happen.  You must be the first line of defense.  Failing to act is acting to fail. 

Do I really need to worry about this stuff?  Well, if you have no online presence, then probably not.  If you don't bank or have any financial data online, then you might be ok.  If you don't have a bunch of information on your Facebook page which someone could use to impersonate you, guess other passwords, or open accounts in your name.

Right now, many of us are trusting to security through obscurity--there are so many people online, how could someone target me?  An out of the blue attack may be less likely.  But, if some of your information from a W-2, school transcript, or other info were to fall into nefarious hands, it would be all too easy for the wrong-doer to look you up on Facebook.  They might even send you a carefully crafted message to get more info or send you a malicious web link.  Have you ever lost such a document?  Has your school, employer, credit card company, etc ever lost some of your data on a thumb drive, laptop or hacker break-in?  Probably.  But don't just believe me, read more about secure passwords in the links below.

Now go change your passwords. 

Additional Recommended Security Links:

US CERT Cyber Security Tip ST04-002 Choosing and Protecting Passwords

MakeUseOf.com - Create Strong Passwords

GRC.com Perfect Password generator

Password Strength Checkers - to be really safe, you shouldn't put your new password into one of these.  If you do, at least make sure they are a secure page (https).

No comments: