The Top Ten Commandments of Password Protection
Protecting your passwords is a vital component of keeping your online accounts safe and secure. Careless users often find themselves the victim of email or Facebook hacks. Armed with the right information, it only takes a few moments to properly secure your email accounts, social networking profiles and sensitive, web based logins. We have put together a handy list of password protection tips to help you in this endeavor.
1.Do not use the same password or email account to access multiple sites. For example, do not use the login credentials to access Facebook that you would use to access your online banking account.
2.Strong, secure passwords are a necessity. Passwords should be a minimum of eight characters and should contain upper and lower case letters and numbers. Don’t use simple words, especially by themselves. PCtools has an online password generator available if you need it.
3.Use secure answers to security questions. With the advent of social networking sites, it is imperative that you take precautions when setting security / password retrieval questions. A common question is “What is your mother’s maiden name?” The answer to this question wouldn’t be too terribly difficult for a hacker to find out, especially if you don’t have social networking privacy settings secure. Lifehacker has a good guide on how to obscure answers to easy security questions.
4.Change your passwords on sensitive accounts every 30 to 60 days. (This can be annoying and some experts think it is not necessary if you have a good, strong password in place.)
5.Never share your passwords with anyone, especially if you don’t follow our advice and use the same passwords on multiple sites.
6.Consider using a password manager to manage your online account logins.
7.Don’t login to a web based email account from a public computer or unsecured wifi network. There have been several news stories of keyloggers being installed on computers in public places.
8.Never click on links in an email and then enter login credentials. A common phishing scheme will send you a bogus security alert about your account being compromised. The fraudulent email will provide a link to the phishing site. A better option is to close the email and type the url of the main site the hackers are trying to imitate in a web browser.
9.Install and maintain current versions of anti-virus and firewall software protection. These programs often have built in alerts if you are directed to known phishing sites.
10.Actually run full system scans on your system! How many of us install anti-virus software and then hope for the best? Most mainstream programs are pretty good at detecting threats as they occur, but a better option is to boot your computer into safe mode and run a full system scan every 15-30 days.
You can make your passwords more secure if you follow a few simple rules: Don’t reuse passwords, make them long and random, and don’t be afraid to write them down, say security experts.
How safe are your passwords?
The LulzSec hacking group may have ceased its 50-day hacking spree, meaning that users of InfraGard, the U.S. Senate, and Sony websites, among others, can sleep more soundly at night. But people shouldn’t let the apparent cessation of the latest laugh-seeking hacking campaign lull them into a false sense of security.
There’s a growing body of evidence–based on numerous LulzSec exploits, last year’s hack of Gawker, even a 10-year-old study of the password-picking habits of Unix users–that people prefer short, non-random, and therefore unsafe passwords. They also tend to reuse those same passwords across multiple sites. The underlying rationale is clear: it makes passwords easier to use.
Unfortunately, it also makes for poor security. For example, look at one of LulzSec’s attacks against the Atlanta branch of FBI affiliate InfraGard, in which the hackers stole members’ username and password combinations. Those credentials then allowed LulzSec to gain access to Atlanta InfraGard member Karim Hijazi’s business and personal Gmail accounts. Hijazi is a somewhat controversial security consultant who is CEO and president of botnet monitoring startup firm Unveillance. But even he reused his passwords.
Password reuse, however, isn’t the only issue. Another threat is that attackers will gain access to a website’s password database and steal a copy. At that point, even if the database is encrypted, attackers can hammer away at it offline, using a tool such as Password Recovery Toolkit from AccessData to crack it in relatively little time. Processing power is no object. Indeed, researchers at Georgia Tech have tapped the graphics cards built into PCs to crack even hashed passwords with fewer than 12 characters, in short order.
Not coincidentally, the Georgia Tech researchers recommend using passwords that are at least 12 characters long, and which mix letters, numbers, and symbols. But who’s going to remember a unique, randomized (aka highly entropic) 12-character password for every semi-critical website they use?
Thankfully, options abound for creating long and strong passwords. For example, people can use pass phrases–sentences, really–instead of passwords. Another option, meanwhile, is to build passwords using some kind of predetermined logic. The password “mniE,” for example, would be short for “my name is Earl.” (Ideally, of course, the password would be much longer.) Proponents of this approach often recommend using a variation that builds in the name of the website, so that one password can be altered to address various other websites. For Amazon.com, for example, the variation could be “mAMAniE.”
Despite the potential security improvement, according to Jesper M. Johansson, formerly the security program manager at Microsoft, and now the principal security architect at Amazon.com, it’s unclear if many people bother to use pass phrases. Furthermore, based on some rough estimates, he said that it’s likely that a person would need to use a six-word pass phrase–which is starting to get clunky–to attain the same level of entropy as a nine-character password. Finally, reusing parts of passwords across different websites means that attackers who steal username and password combinations might be able to reverse-engineer the logic.
Accordingly, the simplest and easiest way to increase password security might simply be to write passwords down, albeit preferably in a highly secure manner. “The best investment you can make is to go out and get a [digital] wallet to keep your passwords in,” said Thomas Kristensen, chief security officer of Secunia, a vulnerability information provider, in an interview. “To reuse your password on different sites is just the worst thing you can do. Look at all of the compromises of websites this year–there’s the risk that they’ll lose your account, and once your password is out there and associated with your email address, you probably won’t know it’s been stolen until they’ve heisted something.”
Another advantage of digital password wallets is that the software not only makes it easy to store passwords, but also to generate a strong, highly random password. That makes it trivial to maintain a different password for each and every website used. Accordingly, the next time hackers crack a Sony password database, even if it contains your username and password, hackers won’t be able exploit that combination anywhere else.
Digital password wallets, however, do mean one more piece of software to download, install, and use. “It’s a nuisance, I know,” said Kristensen, who’s been using an open source application called KeePass for 10 years. But he said that using digital password wallets is simply a best practice. “It’s not the perfect solution, but it’s much better than reusing passwords.”
When it comes to password management software that stores passwords securely, there are numerous options. For example, Bruce Schneier, chief security technology officer at BT, created PasswordSafe, an easy-to-use, open source password database for Windows. Such software is also available for the Apple OS X (for example, shareware PasswordWallet, which also works for Windows). Another option, the aforementioned KeePass, runs on both of those operating systems, as well as Linux.
Furthermore, many password wallets will synchronize passwords between your computer and mobile devices, meaning you can always carry a secure, password-protected copy of your passwords and PIN codes with you. (For the record, people’s PIN-picking practices are arguably even poorer than their password selection habits.)
To recap: secure passwords by creating a unique and random, long and strong password for every website that matters. Then keep these passwords secure by storing them in a digital safe. Do that, and don’t fear the next LulzSec.