You’ve probably seen in the news last week that there was a report of a very large breach of web usernames and passwords. Everyone from The Washington Post toABC News to the New York Times has been covering the breach. While all of the major news outlets have stories about it, I wanted to share my thoughts and give some easy tips regarding what we can do about it:
First, it’s unclear how much hype is involved here since the company that issued the press release, Hold Security, sells security services to detect and protect against this kind of thing.
Oddly enough the initial information came out in late February as part of a CIO article. That said, it’s Security Week in Las Vegas with Blackhat, BsidesLV, and DEFCON (I’m heading there tomorrow), so the attention to such an instance are focused to say the least.
In any case, it’s a good time to review your web account security. I assume that you have been following my rules for web accounts, but just in case here is a reminder:
- Always have a unique password for each web account — this is the most critical thing, that way the breach of a single website does not expose all of your other websites. This is critically important for important sites like your financial accounts, your online games, etc.
- Never use a password that can be found via social engineering (partners name, city you were born, your child’s name, etc). For an example of what can go wrong, see the Sarah Palin email hack.
- The longer the password the better, 8 is too short, I use 20 to 32 characters. Nowadays it is very easy to use brute force to hack 8 character passwords. There are even services hosted on Amazon to crack passwords (of course, only for security professionals ☺).
- A random password is the best, all but 3 of mine are completely random and I don’t know any of them… which leads me to…
- Use a password vault of some sort (but not the one in the browser). There are plenty of good ones out there: Dashlane (probably the most user friendly),LastPass (good security options), KeyPass (open source, for the paranoid), and others. They all have their plusses and minuses. I am currently using Dashlane, but have used all of them.
If you don’t fully trust the password vault (I applaud you for your complete lack of trust ☺), then you can have a two-part password, store part in the vault and keep the other part in your head (I have not gotten to this point, but I’m sure I will soon).
- Use two-factor for authentication and password reset when it is available. Most financial and online game sites now support this. I use two-factor for every site that supports it.
- Use Pwnedlist for tracking if your web account usernames have been involved in web breaches. It’s free and not like as the current service that Hold Security is offering (where they ask you to enter your password). And it goes without saying, if you are visiting sites that you don’t want others to know about, use a different email address and access the site via VPN.
Stay safe out there!
This article originally appeared in Business2Community.