With the recent leak of LinkedIn, eHarmony and Last.fm passwords, I think it’s past time for users (like you) to inform yourselves on the effect of non-secure passwords. More and more of our personal and financial information is available behind a simple username/password prompt, giving each of us an increased likelihood of that information finding its way into the hands of criminals. However, you can mitigate your risk through education and diligence.
How Exactly Are You at Risk?
The ultimate goal of malicious hackers is to make money. They attempt to steal your information so they can access your bank account, or create new credit accounts in your name. They may target you specifically or you may be one of millions of victims of automated hack scripts. Your bank accounts may be emptied or your credit ruined, usually leading to months or years of working with banks and creditors to repair the damages.
Social Networks: A Hacker Paradise
Another key to understanding your risk is recognizing what a hacker can do with your password. Let’s say some creep stole your Facebook username and password. Now he knows your kids’ names, your address, your birth year, your pets’ names, your spouse’s name, your mother’s maiden name (if she’s also on Facebook) and your interests.
Now said hacker visits your bank’s website and uses the “I lost my password” feature. It will ask something like “What’s your favorite pet’s name?” or “What’s your mother’s maiden name?” or “Where did you go to high school?” I bet our hacker can answer those questions now.
Maybe you have passwords on other websites that contain some of that information? For example your email password is “Jacob1972” – a nice alphanumeric, mixed case password, but it’s also your birth year and son’s name. Our Facebook hacker has an advanced script that tries all of those combinations and eventually gets access to your email. With your email account, a hacker can reset your password just about anywhere, since that’s the most common method of verification for the “I lost my password” functionality.
Hopefully your email provider has systems to thwart such attempts, but the point is that even non-financial passwords need to be kept secret.
How Passwords are Stolen
Here are some of the most common ways passwords are stolen, and how you can help protect yourself from these methods.
Viruses come in many forms but one of the most malicious kinds delivers a keylogger. This rascal will send every single one of your keystrokes to a server on the internet. At some undetermined point in the future, the hacker will comb through your keystrokes and grab your online bank password and countless other bits of private data. You’ll never know you were infected until your bank account is overdrawn.
Protecting Yourself From Viruses
You really should know this by now. Make sure you have an up-to-date virus scanner installed and running. Keep your computer’s operating system updated (I recommend auto-updating everything). Keep third-party apps like Flash updated. Never click on links on emails unless you know and trust the sender. Never open attachments unless they’re expected and from a trusted source.
“Social Engineering” is a term that means tricking someone into deliberately giving out their own private information. These days, social engineering comes most commonly in the form of “phishing” where an official-looking email tricks the user into sending their personal info over the internet.
Here is a phishing example scenario. Suzie receives an official looking email from her bank saying her account is overdrawn, or they need to update her information (strictly routine, of course). When she clicks the link (usually like http://secure.wellsfargo.a336fb.com) she is prompted for her login info, shown an error once or twice (to capture multiple passwords), then presented with a pretty form asking for bank account numbers and her social security number.
Avoiding Phishing Scams
Look at this link: http://secure.wellsfargo.com. Where does it go? Mouse over it in your desktop browser and it will show a different URL from the link text. I shortened the URL with bit.ly, effectively hiding the target from you. If you see this in an email, you should be immediately suspicious. The target is actually http://www.google.com/search?q=phishing, a link to a Google search about phishing.
Keys to avoiding falling for a phishing attack:
- Your financial institution will not ask for your information over email. If you really, really think it’s valid, manually type in your bank’s URL in a browser. Don’t follow the link from an email.
- Look for tell-tale signs of fake emails: typos, bad grammar, stretched logos, etc.
- If you don’t expect the message, don’t click the link.
- If your friend sends you a link unexpectedly, call them to verify they sent it.
- If your bank sends you a suspicious email, call them to verify it.
- Always err on the side of caution.
Fraud.org: Avoid getting hooked by phishing
Wikipedia: Social Engineering
Situations in which an online service such as LinkedIn are compromised are rare. In these situations, you have little control. However, some LinkedIn users were at little to no risk, because they used strong passwords.
Which brings us to…
Do you use any of these passwords? 123456, password, qwerty, football? You might as well not have a password. Weak and common passwords are the simplest to hack. Hackers maintain a list of thousands of common passwords and when handed a stolen list of encrypted passwords, these are cracked in seconds.
Generating a Strong Password
The key to understanding password strength is to know that the longer a password is, and the more variety it has (special characters, numbers, letters, mixed case), the longer it takes a hacker to decrypt it (if they steal it from your service provider). Properly randomized passwords with proper encryption can take a computer hundreds of years to crack, making it effectively impossible to steal. You can’t control your providers’ encryption levels, but you can control your password.
Keys to a strong password:
- Use at least 8 characters
- Use a mix of case, numbers, letters and special characters
- Don’t include your name, your kids’ names, your dog’s name or any other personal information in the password. If a hacker knows your birth year is in the password, he has effectively reduced the character count by 4.
- Don’t include the website name in the password. Some of the first LinkedIn passwords cracked included LinkedIn, l1nked1n, l!nk3d!n or other variations in the password.
- Don’t repeat passwords across multiple accounts. If one account is compromised so are others with that password.
Keeping Track of Your Strong Passwords
The problem with strong passwords are that they are hard to remember. If you maintain separate passwords for all your accounts, they are near impossible to recall on demand.
You can use long real word passwords, such as correct horse battery staple, which are very difficult to crack and may be easier to remember.
You can also download an app like 1Password that stores all of your passwords in a local encrypted file. Use a single very strong password to protect the app and you’re good to go. It’s definitely more inconvenient to look up passwords every time you need one, but it’s more secure than repeated or derivative passwords. You’ll find your more commonly entered passwords stick in your brain too. Most of these apps will auto backup a copy to online storage like Dropbox in case you lose your phone.
Wikipedia: Password Strength
I hope this information inspires and empowers you to take control over your online security. Do you have any of your own advice or stories you’d like to share? Leave a comment below.
Tags: Better Homes and Gardens Real Estate Metro Brokers, Eddie Krebs, eHarmony, Facebook, georgia, hackers, last.fm, LinkedIn, passwords, phishing, scams, social networks, stolen password, success, Tips, Twitter, virus