Wired writer and Twitter star Mat Honan had his Apple, Twitter and Gmail passwords cracked this summer. Shitty for him but thankfully he threw his life into telling us how to make our passwords better. Read the whole article here and some choice cuts below:
How do our online passwords fall? In every imaginable way:
- They’re guessed,
- lifted from a password dump,
- cracked by brute force,
- stolen with a keylogger, or reset completely by
- conning a company’s customer support department.
Let’s start with the simplest hack: guessing. Carelessness, it turns out, is the biggest security risk of all. …the number one password people used was, yes, “password.” The second most popular? The number 123456. If you use a dumb password like that, getting into your account is trivial.
Our other common mistake is password reuse. During the past two years, more than 280 million “hashes” (i.e., encrypted but readily crackable passwords) have been dumped online for everyone to see.
Hackers also get our passwords through trickery. The most well-known technique is phishing, which involves mimicking a familiar site and asking users to enter their login information… he posed as her and send an email to her accountant, ordering three separate wire transfers totalling roughly $120,000 to a bank in Australia. Her bank at home sent $89,000 before the scam was detected.
An even more sinister means of stealing passwords is to use malware: hidden programs that burrow into your computer and secretly send your data to other people. According to a Verizon report, malware attacks accounted for 69 percent of data breaches in 2011. They are epidemic on Windows and, increasingly, Android.
- Don’t reuse passwords. If you do, a hacker who gets just one of your accounts will own them all.
- Don’t use a dictionary word as your password. If you must, then string several together into a pass phrase.
- Don’t use standard number substitutions. Think “P455w0rd” is a good password? N0p3! Cracking tools now have those built in.
- Don’t use a short password—no matter how weird. Today’s processing speeds mean that even passwords like “h6!r$q” are quickly crackable. Your best defense is the longest possible password.
- Enable two-factor authentication when offered. When you log in from a strange location, a system like this will send you a text message with a code to confirm. Yes, that can be cracked, but it’s better than nothing.
- Give bogus answers to security questions. Think of them as a secondary password. Just keep your answers memorable. My first car? Why, it was a “Camper Van Beethoven Freaking Rules.”
- Scrub your online presence. One of the easiest ways to hack into an account is through your email and billing address information. Sites like Spokeo and WhitePages.com offer opt-out mechanisms to get your information removed from their databases.
- Use a unique, secure email address for password recoveries. If a hacker knows where your password reset goes, that’s a line of attack. So create a special account you never use for communications. And make sure to choose a username that isn’t tied to your name—like [email protected] it can’t be easily guessed. (More via Wired)