It was a bit of a strange situation. Journalist Stuart Sumner and a Canadian hacker were simultaneously logged into Sumner's Hotmail account. As the hacker sent out requests for money to the journalist's contact list, Sumner feverishly worked to countermand the phony appeals by sending out his own messages.
As he relates in his account of the experience, "It was scary, intrusive and violating. And in hindsight, sort of funny." The pecuniary damage suffered by the UK journalist ended up being relatively minor, but if the hacker had been more intrusive, the episode could have been much less humorous.
In the blog post, Sumner goes on to relate that the extent of the hacker's attack was enabled by lax password security. In other words, he was the kind of web user that hackers love to come across. In order to help you avoid that same fate, here's some password protection basics that malicious internet attackers would rather you not know:
PASSWORDS TO AVOID
It's hard to remember passwords, especially when you're registered on multiple sites. That is probably the reason that so many of the users in the recent Gawker Hacking fiasco chose easy to remember (and easy to guess) passwords instead of longer, more complicated character strings. The top password amongst this hacked bunch? "123456". And close behind it were "1234567," as well as the not so clever phrase "password." Though it's an inconvenience to forget your password, you're still better off avoiding the following:
- Passwords of 7 characters or less
- Passwords consisting of only uppercase or only lowercase letters
- Passwords with no special symbols randomly inserted
- Anything chosen from Tom's Hardware's list of common passwords
PASSWORDS TO CHOOSE
Here are some good rules of thumb for choosing a secure password:
Instead of just using a word, use a sentence as a password. Replace some of the letters with numbers for increased protection.
Make your password more complex by adding twists to it. For example, capitalize all the letters that also occur in your name.
Sprinkle punctuation or symbols (especially foreign symbols) throughout your password.
Create different levels of passwords. For logging into sites such as forums where no sensitive information is stored, feel free to use an easy, non-complex password. Who cares if it's hacked? On the other hand, for financial institutions or blog accounts, make every user name and every password different. That way, even if one account is hacked, the rest of your accounts are safe. Never use the same password on more than one "high-level" site.
- Implement a rule based password creation system, like the one recommended by LifeHacker (never mind that they didn't follow their own advice, evidenced by their vulnerability in the above mentioned Gawker break-in!). Using this type of system can help overcome the difficulties of remembering complex passwords.
PASSWORD PROTECTION TOOLS
Still feeling worried about your passwords? There's extra help available, both in remembering and securing your passcodes:
- Random Password Generator - Want to make your password as uncrackable as possible? Try out the GRC Ultra High Security Password Generator. The page will randomly generate (or as the site's author notes, "pseudo-randomly") a 63 or 64 string password each time the page is loaded. Considering that a brute force attempt to unearth your password takes longer and longer to accomplish the more characters you include, a 7-letter password compared to a 64-letter password is the difference between minutes and days.
- Password Database - Let's face it. These ultra-long passwords are impossible for the average computer user to remember. That's where programs like KeePass and RoboForm come in handy. Both programs provide password storage and encryption so that you can easily remember and (most importantly) actually use your strong passwords without filling a file folder with sticky notes.
- Secure USB Flash Drives: Built to military specifications, containing incredibly secure cryptographic technology and set to internally self-destruct if improperly tampered with, the IronKey Personal is an extremely cool gadget. Packed with lots of nifty features, the drive provides extra security by storing passwords and auto-filling forms using its built in identity manager. But if you don't need to feel like James Bond (or don't want to pay the price: $79 USD), then you can also check out the MyKey Mobile Password Key. While it won't destroy itself if tampered with, the MyKey also allows you store all your passwords in an "off-computer" location and use an auto-fill function to input those extremely secure passwords you've created. (Plus, it's much cheaper at only $18 USD.)
And there you have it. This list of tips and tools, if properly implemented, will help to impede the outlaws of the internet from unfettered access to your personal data. And hopefully you'll never have that Twilight Zone-esque experience of watching a hacker try to exploit your contact list to make some extra cash.
Ever had the experience of being hacked? How did you deal with it? Share your story in our comments section below.