So, speaking of passwords, are you “safe” or “convenient”?

image from farm4.static.flickr.com[update: I didn't even think to mention mobile phones and locking or password protecting them… This is one of those "just because it is now doesn't mean it's better... More on protecting your cellphone in a future post…] 

Going along with my recent posts on privacy, I thought that I would put some information out there about the idea of passwords. We ALL have them and many of us feel we have TOO MANY of them… We have passwords for work (maybe 2 or 3), banks, credit cards, websites, bills, and many many more… Frankly, I personally have 74 different web-based sites with logins… that DOES NOT include many of the sites I have not update or know by heart, and it does not include the oh… 15 or 20 different logins I have because of my role at work… 

I am sure you are saying "yeah right… he is just trying to make a point…" I am, but I know what I track because I now use an application called 1Password (MAC) to help manage my personal password nightmare. I also know many of you may believe that using a tools like this is more of a risk or a bigger hassle that it is worth.  I'll address that point in a bit. However, let me ask you this: "What can someone learn about you if you were to lose your mobile phone?"

Now, what does your email say about you and the things you communicate about? How about this one… "If someone got your email password, how many other places could they possibly login to if they only knew where to look?" Oh, but they couldn't possibly know where you bank or shop or eBay or amazon or what credit cards you have from your email? Did you know that the site RockYou.com was hacked last year and 32 MILLION passwords were compromised? How about this from a Washington Post article dated 02/18/2010:

More than 75,000 computer systems at nearly 2,500 companies in the United States and around the world have been hacked in what appears to be one of the largest and most sophisticated attacks by cyber criminals discovered to date, according to a northern Virginia security firm.

The attack, which began in late 2008 and was discovered last month, targeted proprietary corporate data, e-mails, credit-card transaction data and login credentials at companies in the health and technology industries in 196 countries, according to Herndon-based NetWitness.

Still think the 2 or 3 passwords or adding a 1 or 2 to a password "so you can remember it" is a wise decision? Try this: Click here to get the latest news stories from Google on "Passwords Hacked". Also, on February 3, 2010 Twitter started alerting some of its users that their passwords and accounts have possibly been hacked:

"Since people often use the same log-in information for multiple sites, the hacker has been breaking into Twitter accounts and possibly other social networks."

From the RockYou.com security breach some very interesting and sad things were discovered:

image from www.net-security.org

Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password is “123456”. – Help Net Security

Want the top 10?

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

 If you are interested, Imperva's full analysis can be found here.

 So, if anything that I have written here has caused you to re-think your password, you might be saying well, "what can I do about it? I can't possibly have a different login and password for each thing that I use…" Well, YES YOU CAN! Credit card fraud and identity theft is well on the rise across the globe, and a bit of inconvenience for you today may help to prevent a LOT of life shattering inconvenience tomorrow.

Ok, so what can you do? Don't just write them down and leave them on a list next to your computer… Don't give them to anyone no matter how "trust worthy" you think they may be… (friends or family)

First things first: you really should have a DIFFERENT username and password for each service you use (work or web-based) that way if one site gets compromised, no other account is in jeopardy.  

Second: be MORE concerned about low "risk" or profile sites.  Financial Institutions, Insurance, Credit Card companies invest highly in ensuring that login and password information is secure (even though some of these companies get hacked as well). However, many low profile sites are typically an easier target for hackers.

Third: DO NOT take your passwords lightly.  Giving logins to co-workers, family or friends often can create risks in the future…

Now, how to keep track of all these passwords. If you are planning on writing them down, be sure to have that with you and not in a purse or wallet… Yeah, that is easy… Seriously, don't leave them anywhere near your computer. Other suggestions are to purchase a very secure password manager product. There are a number of reputable tools out there.  The main argument to this it "well, now someone only needs to get access to that and they will have everything in one place…" Yes, I'll concede that point.  

Having the same one or a "few" is so much better than having to walk off with my MAC, accessing 1Password by cracking my password access, and then hacking a second password to be able to see the 16+ digit alpha-numeric / symbol password combinations to access any of the 74 online sites I frequent.

If you are interested here are a few Password Managers I am aware of:

MAC

1Password by Agile Web Solutions really the best I have found especially with the iPhone app sync.

Apple OS X Keychain (built into Snow Leopard) can generate and keep strong passwords.

PC

There are a plethora from freeware to expensive commercial applications.  Here is an 2010 article on the top 10 windows password manager applications.

Cross-Platform

Here is an interesting new possibility created from a Stamford University Security Project. PWDHASH:

PwdHash uses a user-generated password, the URL of the website you're visiting, and a pseudo random function to transparently transform the user's password into a domain-specific hash of the password. If someone steals a password file from a website, they're only getting a hash for that domain — not the user's actual password. The fact that the hash is generated for a particula
r domain also acts as an effective defense against phishing scams.

Overall, if you are beginning to take your privacy more seriously with all of the high profile news items recently, you really need to begin re-thinking your ideas about passwords as well.

[Image Credit: Richard Parmiter from http://www.flickr.com/photos/parmiter/2505803867/%5D

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s