Those pesky passwords
DO you have a Yahoo or LinkedIn account? If so, you could be in trouble.
Yahoo last week confirmed reports that hackers had broken into its system and posted more than 450,000 e-mail addresses and passwords on a public Web site. The unencrypted list, stolen from the Yahoo Contributor Network, has since been widely distributed over the Internet, putting the privacy, financial security and even personal safety of the owners of those e-mail addresses at risk.
The published file was also said to contain a huge number of log-in credentials for other e-mail services, including Gmail, Hotmail, AOL and a number of Internet service providers.
News of the stolen Yahoo data came one month after LinkedIn, a business-oriented social network, confirmed a security breach that resulted in the loss of encrypted passwords that could allow criminals to break into its subscribers’ accounts. While the company did not say how many people might be affected, reports said up to 6.5 million passwords had been compromised.
If you’ve never used or even heard of the Yahoo Contributor Network, you’re probably safe, but if you want to be sure, you can go to a page set up by Sucuri Malware Labs that checks addresses against the published list (http://labs.sucuri.net/?yahooleak). If you’re on the list, change your password immediately. LinkedIn members ought to change their passwords right away, too, just to be safe.
When doing so, bear in mind several commonsense reminders:
Don’t use the same password on multiple sites. The logic behind this is simple: you don’t want a security breach in one service to open up your other accounts to abuse by hackers. If you used the same password for Gmail, Amazon, Facebook and Twitter, a hacker who gains access to one account could also gain access to all your financial and social networking data, including contact information, photos, and the names of your family members.
Use long (eight characters or more) and complex passwords. Substitute numbers for letters based on their appearance. For example, “troglodyte” might become “tr0gl0dyt3,” making it more difficult to guess. Choose passwords that are meaningful to you, so you won’t easily forget them, but don’t pick obvious choices like your own name or birthday. Believing that length matters most, some security experts suggest using an entire sentence as your password. For example, the sentence “Nothing for poor Grishnak” might become “n0th1ng4p00rgr1shnak” – easy to remember, but difficult to guess. A Web site such as “The Password Meter” (http://www.passwordmeter.com/) will tell you how well you have chosen. (Our example above scored 100 percent.)
Don’t use default or common passwords like “password,” “admin,” or “12345.”
Be sure nobody is looking over your shoulder when you’re typing in a password, and always be sure to log off any Web site you’ve accessed, especially if you are doing so from a public or shared computer.
If you must write down your password as a reminder, keep it in a secure place. Don’t write it on a Post-It note and attach it to your monitor.
If you have difficulty remember all your usernames and passwords, use a secure application to do the job for you. On the Mac and my Linux PC, I use the free and open source KeePassX (http://www.keepassx.org) , a port of the Windows program KeePass (http://keepass.info).
KeePass stores and encrypts all your passwords inside a database, and uses one master password or a key-file to access that database. KeePass has fields for username, password, URL and comments, and you can create login groups (like e-mail or Internet) to organize your passwords.
The program can also generate secure passwords for you and tell you how strong your chosen passwords are.
Password managers such as KeePass are particularly useful for people who work in companies that require them to change their passwords regularly – as long as they remember to update their database as well – and as long as you don’t forget the master password.