It really hasn’t been a good week for passwords, has it? LinkedIn, Last.fm and eHarmony suffered security breaches that resulted in millions of passwords being compromised. Ouch! First and foremost, before you read on, change your password if you haven’t already.
CIOs and IT admins immediately advised employees to change their LinkedIn passwords, particularly those with corporate accounts, but I wonder how many employees were also told to change other online, social and email passwords as well. I also wonder how many users who don’t read the tech press are aware of what happened, let alone took steps to change their passwords.
With the proliferation of social networking sites, both for business and personal users, many users are deploying the same passwords across multiple sites and services, including their webmail services. Such an approach places online profiles and sensitive data at risk of theft or abuse by third parties, should one or more services suffer a login data breach. Users have become comfortable with creating passwords for everything they do online, so much so that they often forget to pay attention to the type of password they choose or its complexity.
In light of the password breaches this week, here are a few tips (and a reminder) to keep in mind when creating and changing passwords:
- Change your passwords regularly
Changing passwords regularly is highly recommended; preferably at least once a month. In an office environment it is often the case that users cannot re-use a password if it has been used once in the previous 12 months. Although this may be too much for a home user, changing your passwords every so often will help to keep you safe online.
- Do not use the same password on every site
Avoid using the same password for every single website or subscription. If you have a problem remembering all of them, write them down and keep the document in a safe place, not in everyday public view. Security experts do not recommend writing down passwords but it’s a better option than having one password for everything. Do not save the document on your computer with an easy filename such as ‘password list’ or stick a yellow note under your laptop with your login password (and yes, people do that).
- When you re-use passwords, at least use a different password for your email account
Many Internet users are tempted to use the same password for all logins. As a minimum, users should have a password for their email account that is separate from all others. Your email address contains much of the information an intruder would need to hack your other accounts, as many web sites and services use a person’s email address as their login username. Passwords for your banking services – including sites such as PayPal – and sites where your credit card number is on file, should also be unique. If you use the same password for many sites and one is compromised, you are most vulnerable on sites where an intruder could actually steal money or order merchandise and charge it to you.
- Use passwords with a secure length and construction
A good password is at minimum seven characters long and has letters, numbers and non-alphanumeric characters, such as “&” and “%” in it. Avoid using common names or simple passwords such as ‘1’ or ‘abc’ – the simpler the password, the easier it is to crack. To create a secure password that is still easy to remember, you might consider using a phrase, with words linked by non-alphanumerics. An example would be “My%dog%spot%likes%treats.” Substituting the zero for letter “o” is another trick: “My%d0g%sp0t%likes%treats.” Choosing a pattern of keys on the keyboard rather than words is another possibility: “zaq12wsx”, however, patterns should be easy for you to remember and not as simple or as obvious as “123qweasd”.
- Avoid logging into sensitive websites such as banking or PayPal over public networks
Do pay particular attention when accessing sites over public networks. Malicious operators can capture traffic on a network in a public place and steal data such as login information. If you must connect to the internet on public machines or using an open Wi-Fi network, always log out and do not click ‘OK’ if asked if you want the browser to remember your login information. Always clear the cache, browser history and temporary files when you have finished. That will remove some traces of your activity from prying eyes.
Relying on this advice alone will not guarantee full protection against a data theft or hacking attack, but in conjunction with general best practice will help to reduce risk considerably. Remember, you should generally only access websites, software and services you trust, and should also ensure the computer you access from is as secure as possible by installing all critical software patches, using a firewall and running up-to-date antivirus software.