Is no password hacker-proof anymore?
Researchers at cybersecurity firm Trustwave said this week they found a stash of about two million passwords to major sites, including Facebook (FB), Twitter (TWTR), Google (GOOG) and Yahoo (which operates Yahoo Finance).
The database included stolen information from some 320,000 email accounts, 318,000 Facebook accounts, and 21,000 Twitter users, nearly 60,000 Yahoo accounts, more than 8,000 LinkedIn accounts, and 70,000 Gmail, Google+ and YouTube accounts, Trustwave said. Two Russian social-networking sites, vk.com and odnoklassniki.ru, were also targeted, as well as 8,000 accounts at ADP, the payroll service provider, according to Trustwave.
"We don't have evidence they logged into these accounts, but they probably did," John Miller, a security research manager at Trustwave, told CNNMoney.
You have ‘terrible’ passwords
Trustwave’s researchers combed through the data to analyze users’ password selection habits – and they weren’t impressed. More than 15,000 of the affected users had “123456” as their password, followed by “123456789,” “1234” and “password.”
The firm said only 5% of the passwords were considered “excellent,” which means they used all four character types (uppercase letters, lowercase letters, numbers and special characters), and 17% were “good.” Passwords with four or fewer characters of only one type are considered “terrible” – and there were more terrible passwords -- 6% -- than excellent ones.
Every year or so, a report comes out that highlights how vulnerable our passwords are to hackers and identity thieves. And a different list from 2011, for instance, shows the most common passwords are nearly identical to the ones found in Trustwave’s trove. In short, they’re way too simple.
We asked Nick Berry, data scientist at Facebook, for guidance on how users should go about creating passwords to their myriad email, social networking, banking and other accounts they want to remain private. “I can confirm from my research that people really are staggeringly unimaginative in their selection of passwords,” says Berry, who founded technology consulting firm Data Genetics and has done extensive research on password security. Check out Berry's TEDx Seattle talk about the subject.
While Berry says there are some things users can’t control, there are plenty of steps you can take to help mitigate any potential damage. Some of these tips may be obvious, while other strategies sound secret-agent-worthy. Berry, who works in research capacity at Facebook, was unable to comment about this particular incident, but stated: "We have dedicated teams of people who monitor events such as this, and take whatever action they can to help protect the security of our users".
1. Dual factor. The best strategy, if available on the service you use, is to enable dual-factor authentication, Berry says. This means you need two things to access the service – a traditional password and something you’re in possession of, such as a smart card, dongle or your smartphone. When you attempt to log in to a service that has dual factor, you type in your password and then insert your physical key (or in the case of your smartphone, you get a text message with a temporary password). You need to type in both to get access to the site. If your password is stolen, a thief can’t use the site because they don’t have your phone. “Codes sent to your smartphone are random and change each time used, so even someone looking over your shoulder [sees] the code will not be able to gain benefit from it to replay it,” he says.
An ATM is a classic example of a dual-factor authentication – you need your ATM card and a PIN to access your account. Major sites offer the option as well, including Facebook, Microsoft Outlook, Gmail and Yahoo Mail. Users can opt into a security feature that requires them to enter a code the site sends to their phone when logging on from an unrecognized device.
2. Make it ObsKur3. If dual factor isn’t available, choose a strong distinct password for each service, Berry says. So if any one service is cracked, hackers can’t get access to other accounts that might share the same login information. If you don’t have photographic memory, password managers can handle your complex and obscure passwords
3. Write it down. This might seem oddly un-savvy, but Berry says storing written-down passwords in a safe place is good move. To break a very strong password, a thief has to have physical access to that password, which is only in one location. Unless you’ve been specifically targeted, most cybercrime is performed remotely by anonymous hackers. “A thief breaking into your house is more interested in your credit cards, iPad, flat-screen TV, prescription drugs than a piece of paper with some hieroglyphics that they have to try and correlate back to some website,” Berry says.
4. Pay extra attention to protecting your main email account with an impenetrable password. “You are only as strong as your weakest link,” Berry says. If you forget the password to your Netflix or Gilt account, those sites will offer an "I forgot my password" link, so you can reset it.
5. Use fake answers. If you answer those "secret questions," give bogus answers – but ones you’ll remember, of course, Berry says. “Someone trying to social engineer your account can probably pretty easily find out the name of your dog (all your friends know), or your mother’s name, or the school you went to,” he says.
6. Don’t save your password. Some online services let users save their password so they don’t have to keep typing it in every time they want to access it. It’s convenient, but might prove problematic if you lose your unlocked cellphone or laptop (especially if you have your email logged in). “How much damage could someone do in a few minutes if they visit your stock portfolio page or bank account (which probably have your account name cached), and click the 'email me my lost password'?” he says.
7. Set up a burner. Don't enter details into sites you don't trust. And if you have to, Berry suggests using a “burner” account name – an email account you don't care about. “If it gets compromised or spammed, who cares?” he says, as you can abandon it and set up another one.
And, of course, Berry says, never tell anyone – spouse, employees, support staff, best friend – your passwords.