Passwords and Online Safety

Consumer Reports, and others have noted an increase in the number of accounts being hacked.

The April 8, 2014 Heartbleed OpenSSL security bug is the most serious security bug in the history of the Internet. See:

https://www.yahoo.com/tech/heres-what-you-need-to-know-about-the-heartbleed-bug-82120054478.html

http://www.npr.org/blogs/alltechconsidered/2014/04/08/300602785/the-security-bug-that-affects-most-of-the-internet-explained

Systems will continue to be hacked in many other ways as well.

Having your email account hacked is extremely serious because it affects not just you but everyone you email. Hacked email accounts often allow hackers to get around spam filters and send dangerous attack emails to friends and family -- and everyone else you have emailed or who has emailed you. Your email archives and address books may be stolen then deleted. Your stored emails may reveal sensitive information about you as well as others -- including information that can be used to break into other accounts owned by you and your associates. Did you ever email ID information (credit card numbers, social security numbers, etc) or passwords to others? What about other personal information about yourself, family or friends that could be used to answer security questions?

The biggest ways that passwords & your accounts get compromised:

1) Sites get hacked and account/password information is stolen.

2) People use weak passwords (it is hard to remember long and strong passwords that are different for every account) and these can just be compromised.

3) People unknowingly reveal their password to malicious sites.

4) Your computer gets infected by malware.

From interviewing many of the people whose accounts were hacked, the most common theme is passwords that were less than 10 characters long -- often just 8 characters -- and were used for many different accounts. It is also possible their computers were infected but most had up-to-date virus software. Some have had old operating systems or browsers. Hackers have been particularly successful at breaking into Yahoo email accounts (which includes SBCglobal and AT&T email accounts).

Everyone should do their best to keep their email and computers safe to protect both themselves and all their friends.

Some key tips:

1) Keep your computer(s) malware-free by using good virus protection software and only installing software from safe sources.

2) Keep your operating system and web browsers current with the latest releases that have had security holes patched.

3) Do NOT click on links to suspicious sites. Those sites may be able to attack your computer simply by visiting them.

4) Never have your web browser save your passwords. This stores passwords in insecure locations where malware can get them.

5) Watch out for phishing attacks (web sites that look like valid sites but are not).

6) It is critical to use a different and strong password for each account -- if any one account is compromised, it can cause many other accounts to be compromised.

What is a strong password?

Strong passwords:

1) are long -- ideally 16 characters or more;

2) use many different characters -- upper and lower case letters, numbers, and even punctuation or other special characters;

3) are unique – use a different password for each account (so if one account is compromised that password cannot be used to break into other accounts);

4) are hard to guess -- not something that is easily discovered about you like your dog's name or your mother's maiden name – which also means you should treat your security questions just like passwords (!);

5) are changed periodically.

If you have more than 2-3 passwords, doing the above and remembering them is hard!

Many of us have a dozen or more online accounts between email, banks, credit cards, Facebook, and more. How can you remember many different strong passwords for each of these accounts?  You could write them down on a piece of paper, but if you do please store it securely and make a copy (backup) in case you lose it. A better solution is to use a password manager to handle your strong passwords so you just need to remember one password -- for the password manager itself. One of the best password managers is LastPass (https://LastPass.com).

LastPass can remember all of your passwords and it also:

1) enters web usernames and passwords automatically so you don't have to type them (saves you significant typing and mistyping);

2) generates strong passwords of any length;

3) backs itself up automatically to a secure location so your passwords are available to you (and only you) on as many computers as you wish (even if your computer is stolen);

4) prevents phishing/spoof attacks by distinguishing valid websites (where it is safe to enter passwords) from invalid ones;

5) is your safe deposit box in the sky for other critical but sensitive bits of information (account numbers, PINs, combinations, etc);

6) is itself very secure (reviewed by many independent security experts and companies); 

7) allows secure sharing of passwords with others; 

8) is multiplatform - Windows, Macintosh, iPhone, Android, Linux, etc; and

9) is free and easy to use!!

LastPass will even help you recover from the Heartbleed debacle. See:

http://www.pcworld.com/article/2142104/lastpass-now-scans-for-heartbleed-affected-accounts.html

For additional password managers and safe computing practices, please read:

http://www.pcworld.com/article/208113/best_password_managers_top_4_reviewed.html

and

http://www.pcmag.com/article2/0,2817,2407168,00.asp

and

http://www.consumerreports.org/cro/consumer-reports-magazine-january-2012/hack-proof-your-passwords/index.htm

Thanks for doing your part to protect yourself and the rest of us!

Note: I'm a user of Last Pass but have no financial or other vested interest in Last Pass -- it is just the best password manager I've been able to find after reviewing many password managers (KeePass, RoboForm, 1Password, some others) as well as alternative solutions (post its, encrypted files on local computer, paper in physical safe).

Update July 6, 2024: I no longer use LastPass, but tere are many great password managers around now. Find one and use one. 

(Authored 4/29/2012, Updated 5/5/2013, Updated 4/10/14, Updated 7/6/2024)