Your Password Sucks

lock-and-chain

In the news this morning was word that Evernote’s user database was infiltrated by hackers. Usernames, encrypted passwords and other personal information was compromised – although payment information appears to be unharmed.

Last summer (June, 2012) a similar breach happened with networking site, LinkedIn, where 6.5 million encrypted passwords were stolen. Combine both of these data breaches with ongoing evidence that most web users do not take password security seriously enough and this will only lead to further problems.

The realities of the LinkedIn data breach that most people don’t understand is that 6.5 million encrypted passwords were stolen. Most of the 6.5 million passwords were decrypted in the immediate days following the breach. Further, a similar decryption of Evernote’s data is bound to happen as well – if it hasn’t been done already. This is over 6.5 million passwords that can never be used again. But most users do not understand why, but they should.

The web will always be alive with a nefarious element, it simply isn’t a winnable battle. One vector of attack is brute force attacks on usernames and passwords. Before the LinkedIn breach. hackers used dictionary lists and random character generators to run through billions of combinations to attack a single username – a processor intensive act to be sure, but very much doable with today’s computing power. After the LinkedIn decryption of passwords, 6.5 million known and in-use passwords were added to those dictionary lists making once highly-secure passwords as common as using “password” for your password.

How can you protect yourself?

1. Use a password managing application and routinely generate very long alphanumeric strings with characters. I’ve used 1password for years and would recommend it to everyone. It will manage your passwords, will generate secure passwords, and provides a security step against phishing attempts with domain matching.

2. Never reuse a password. Many folks reuse passwords across different sites. I’m guilty of it in the past. I know you are too. Stop it. If you have one you reuse currently, see it has been decrypted by visiting LeakedIn, which has a search function against LinkedIn’s decrypted password data breach.

3. Routinely change your passwords. I change my passwords to my most sensitive accounts every 45 days. My less sensitive accounts every 6 months to a year.

4. If you have an account that supports Two Factor Authentication, use it. If you are using a Google account, this is a no brainer, and more and more sites are using Google’s implementation.

5. The most drastic option, get off the web, move to the hills and shun technology.

Image Credit: Campbell X