Password security, one step at a time
Last week we saw millions of passwords leak from LinkedIn, eHarmony and Last.fm. Much has been written over the last twenty years about how to create strong passwords, but no matter how strong your password is, if your favorite website is hacked, you’re likely to lose your password.
If the perpetrators have managed to download a site’s passwords to their computers, they can spend as much time as they like, using a growing number of highly sophisticated tools to crack them.
What this means is that you must assume that your favorite site could be hacked at some point, and what this really means is that if you have used your password for multiple sites, then you will have a new name, and that name will be Victim.
You simply must adopt a strategy of using a unique password for each site. That way, if a site falls, as we saw this week, at least you only lose one password, not the keys to the kingdom.
Roger Thompson, chief emerging threats researcher at ICSA Labs, offers some do’s and don’ts for password security.
Five things to do
1. DO use a unique password for each site.
2. DO use a password keeper.
3. DO use non alpha characters such as ?!$% in the password.
4. DO periodically change your password, and if possible ID. Many if not most public web sites and/or eCommerce sites do not require a periodic refresh of your password, so take it upon yourself to do so.
5. DO use a passphrase, rather than a password, and a fine strategy is to use a bunch of random words. It’s easy to remember, and the sheer length makes it hard to crack.
Seven things not to do
1. DON’T use easy-to-guess words, like “password”, or “password123”.
2. DON’T use adjacent keyboard characters, like “qwerty” or “12345678”.
3. DON’T use things that can be discovered about you, such as your hometown, or the name of your pet or spouse.
4. DON’T use really short passwords. Anything under eight characters is too short.
5. DON’T use common pass phrases, such as “I like BBQ” – these are as easy to guess as single words.
6. DON’T use shared, open Wi-Fi, such as found in coffee shops and public places for anything that involves a user ID and password, in case it is sniffed.
7. DON’T connect to a router that’s using open access, WEP or WPA encryption. Instead use WPA-2, or 3G/ 4G connectivity.