The Way We Work
March 7, 2011 by Julia Camenisch

It was a bit of a strange situation.  Journalist Stuart Sumner and a Canadian hacker were simultaneously logged into Sumner's Hotmail account. As the hacker sent out requests for money to the journalist's contact list, Sumner feverishly worked to countermand the phony appeals by sending out his own messages.

As he relates in his account of the experience, "It was scary, intrusive and violating.  And in hindsight, sort of  funny." The pecuniary damage suffered by the UK journalist ended up being relatively minor, but if the hacker had been more intrusive, the episode could have been much less humorous.

In the blog post, Sumner goes on to relate that the extent of the hacker's attack was enabled by lax password security.  In other words, he was the kind of web user that hackers love to come across. In order to help you avoid that same fate, here's some password protection basics that malicious internet attackers would rather you not know:

PASSWORDS TO AVOID

It's hard to remember passwords, especially when you're registered on multiple sites. That is probably the reason that so many of the users in the recent Gawker Hacking fiasco chose easy to remember (and easy to guess) passwords instead of longer, more complicated character strings. The top password amongst this hacked bunch? "123456". And close behind it were "1234567," as well as the not so clever phrase "password."  Though it's an inconvenience to forget your password, you're still better off avoiding the following:

  • password onePasswords of 7 characters or less
  • Passwords consisting of only uppercase or only lowercase letters
  • Passwords with no special symbols randomly inserted
  • Anything chosen from Tom's Hardware's list of common passwords

PASSWORDS TO CHOOSE

Here are some good rules of thumb for choosing a secure password:

  • Instead of just using a word, use a sentence as a password. Replace some of the letters with numbers for increased protection.

  • Make your password more complex by adding twists to it. For example, capitalize all the letters that also occur in your name.

  • Sprinkle punctuation or symbols (especially foreign symbols) throughout your password.

  • Create different levels of passwords. For logging into sites such as forums where no sensitive information is stored, feel free to use an easy, non-complex password. Who cares if it's hacked? On the other hand, for financial institutions or blog accounts, make every user name and every password different. That way, even if one account is hacked, the rest of your accounts are safe. Never use the same password on more than one "high-level" site.

  • Implement a rule based password creation system, like the one recommended by LifeHacker (never mind that they didn't follow their own advice, evidenced by their vulnerability in the above mentioned Gawker break-in!). Using this type of system can help overcome the difficulties of remembering complex passwords.

PASSWORD PROTECTION TOOLS

Still feeling worried about your passwords? There's extra help available, both in remembering and securing your passcodes:

  • password twoRandom Password Generator - Want to make your password as uncrackable as possible? Try out the GRC Ultra High Security Password Generator. The page will randomly generate (or as the site's author notes, "pseudo-randomly") a 63 or 64 string password each time the page is loaded. Considering that a brute force attempt to unearth your password  takes longer and longer to accomplish the more characters you include, a 7-letter password compared to a 64-letter password is the difference between minutes and days.
  • Password Database - Let's face it. These ultra-long passwords are impossible for the average computer user to remember. That's where programs like KeePass and RoboForm come in handy. Both programs provide password storage and encryption so that you can easily remember and (most importantly) actually use your strong passwords without filling a file folder with sticky notes.
  • Secure USB Flash Drives: Built to military specifications, containing incredibly secure cryptographic technology and set to internally self-destruct if improperly tampered with, the IronKey Personal is an extremely cool gadget. Packed with lots of nifty features, the drive provides extra security by storing passwords and auto-filling forms using its built in identity manager. But if you don't need to feel like James Bond (or don't want to pay the price: $79 USD), then you can also check out the MyKey Mobile Password Key. While it won't destroy itself if tampered with, the MyKey also allows you store all your passwords in an "off-computer" location and use an auto-fill function to input those extremely secure passwords you've created. (Plus, it's much cheaper at only $18 USD.)

And there you have it. This list of tips and tools, if properly implemented, will help to impede the outlaws of the internet from unfettered access to your personal data. And hopefully you'll never have that Twilight Zone-esque  experience of watching a hacker try to exploit your contact list to make some extra cash.

Ever had the experience of being hacked? How did you deal with it? Share your story in our comments section below.


Julia Camenisch

Contributing Author

Julia Camenisch is a freelance technology and business journalist. She also works as an editor and copywriter for a wide range of clients, including national magazines, small businesses and nonprofit organizations. Julia brings to oDesk a passion for empowering small businesses through the innovative use of technology.

  • Pingback: The Anti-Hacker Password Plan | HandyPostings

  • http://www.techrealms.net Edward Franklin

    Great Post! Been looking for ways to secure my passwords for a while now. I suffer from schizophrenia when it comes to data and social media security.

  • Julia

    Thanks for the heads up on LastPass. I'll have to keep it in mind for future posts on password security.

  • http://planet.tinywp.com Pothi

    +1 for LastPass. I've been using it for about 2 years and there is no turning back.

  • Andre O. Brown

    LastPass is a very useful and secure tool for both generating and managing passwords. It's free for use with all major browsers, and also has a premium but affordable version for mobiles. I find it indispensable.

    http://lastpass.com/

    And for those of you who are concerned about the security of storing you passwords with a service, have a listen to this podcast:

    http://twit.tv/sn256

    That podcast is hosted by Leo Laporte and Steve Gibson (the same guy who created the GRC password generator recommended in the article above).