How to Avoid Password Hacks: 5 Rules
Security breaches are ugly forms of publicity, and business networking site LinkedIn just got hit with a particularly unpleasant one. Hackers got access to six million user passwords and cracked the encryption on 60% of them, with the rest probably just waiting their turn.
The security at LeakedOut--sorry, LinkedIn--clearly wasn't up to snuff. That's a problem for the affected account holders, particularly if they use the same password elsewhere and the hackers use automated tools to try more widely used sites. Even if you or your employees weren't affected, you could have been. The greater worry is that it wasn't the first time data at a website was compromised and it won't be the last.
But there's good news: Everyone at your company can easily implement strong and unique passwords for different sites without having to become a memory whiz or plastering a monitor with yellow sticky notes.
The first step is to realize that people who want to break into accounts are often very smart and use sophisticated tools to speed the process. So forget about schemes like substituting numbers for letters, where you turn the word "look" into "100k." That's a well-known trick that password-cracking tools already know how to address. Of course, given that the five most common passwords are "password," "123456," "12345678," "qwerty," and "abc123," it often isn't a tough nut. (There are tools that will rate the strength of your passwords if you'd like to see how vulnerable you might be.)
5 Rules for Secure Passwords
- The password must consist of random characters that aren't anything recognizable.
- Each site gets a unique password.
- The greater the number of characters you can employ--upper and lower case letters, numbers, and special characters like punctuation and symbols--the more difficult it is for someone to crack your password.
- The longer the password, the better. A bare minimum should be 8 characters; 12 to 15 should be preferred.
- Never write down the passwords where other people could get them.
In other words, good passwords are among the most difficult to remember bits of data in the world. Given that you might have used dozens or even hundreds of sites, it becomes a ridiculous amount of information to memorize. Luckily, you don't need to if you use a good password vault.
2 Password Keepers to Try
A password vault uses an overall good password--only one toughie to remember--to give you access to all of your site-specific ones. The better programs can log you in and automate the process of filling in online forms. Cloud storage features can keep your passwords synched between browsers, computers, and even devices. Update your login information when on your smartphone and it will be available on your laptop or desktop.
I've used RoboForm for years, having paid for the desktop version and added a cloud subscription to use from an Android smartphone or tablet. The mobile portion is a bit clunky as it runs its own browser and didn't integrate with either Firefox or Chrome as the desktop version does. On a small portion of sites, the desktop version occasionally finds it impossible to automatically fill in logins. (I edit the contact record and cut and paste the information, in such cases.) But, overall, it works smoothly and saves me aggravation when trying to securely use the Web.
Another popular one (which my technically able son swears by) is LastPass. There is an ad-supported free version as well as a paid one that adds support for an impressive variety of mobile devices. As does RoboForm, LastPass incorporates a password generator that gives you good control over what types of characters can be used and how long the password will be.
You can download trial versions and see which product best fits your needs. And then start generating new and strong passwords for all the sites you use.
ERIK SHERMAN | Columnist
Erik Sherman's work has appeared in such publications as The Wall Street Journal, The New York Times Magazine, and Fortune. He also blogs for CBS MoneyWatch.