13 Jun 2012
I’ve written this post for the non-technical people I do “tech support” for.
Do you use the same password on different websites? Or, the same password with slight variations (for example secret-abc on website abc.com and secret-xyz on website xyz.com). Or, do you make your password “secure” (it’s not) by changing one of the letters for a number or symbol (eg secret becomes s3cret, password becomes p@ssword).
Well, you should change all your passwords right now! None of these methods are secure.
Why not? Hackers (crackers) are regularly breaking into public websites (recently LinkedIn, Last.Fm, Sony, Facebook) and stealing the encrypted password database. Unfortunately, due to computers getting faster and programming errors, hackers are easily “reverse engineer” these passwords, especially if you’ve used a word that appears in a dictionary (any dictionary - English, a foreign language, a slang word).
Well why is that a problem? Let’s imagine you are Fred Smith and you have a username/password fredsmith and s3cret on a website. A hacker breaks into this website, steals all the encrypted passwords. After about 6 hours they’ve cracked your password as it’s based on a dictionary word. The hacker will then automatically try this username/password (and variations) against lots of other websites. Your username/password on Facebook is fsmith and s3cret - account stolen. Your username/password on Hotmail is fredsmith and secret! - account stolen. Etc, etc.
So what do I do?
Two steps:
use good passwords generated by a password generator or tool
store your passwords in some sort of “password vault”, and protect that vault really well
Using a password generator
Generating good passwords is hard - you need to make sure they contain upper and lower case letters, numbers, and symbols, and are long. But you want them to be easy to remember. You can take the first letters of a song or saying and convert it into a password (for example Sydney rains all the time I’m tired of getting wet becomes SrattItogw). But that’s hard work too - all those different websites to generate passwords for!
So don’t - use a password generation tool instead - for example Strong Password Generator [1]. Or Google for Password Generator. Don’t use sites like this this one that ask for the site name too - duh!
Using a Password Vault
Remembering all these passwords like iI&[-7;F&3@}$4R and T”7c3+-,t,3}}P@ is hard too!
So don’t - use a password vault like Lastpass (and install it as a plugin in your browser: Chrome ($free), Firefox ($free), Internet Explorer ($costs)). Make sure your password vault is backed up and use a really strong password for your vault. And even better, install Google Authenticator on your phone (Android, iPhone) and use it to protect your LastPass vault.
PS
[1] ideally you would install a password generator tool on your laptop, but a website is better than nothing
LastPass has a tool called “Security Check” – it will check all your passwords, look for duplicates, weak passwords, etc. Great!