November 5th – traditionally a day of gunpowder, treason and plot, is now a veritable holiday for hacktivists looking to shake up cyberspace. The hacker group Anonymous celebrated Guy Fawkes Day 2012 by taking credit for the alleged breach of nearly 28,000 PayPal passwords, among other exploits including the websites of NBC and the Australian government.
Unfortunately, password breaches like these have become commonplace over the course of 2012, with major websites like eHarmony and LinkedIn falling victim earlier this year. While a website’s security policies can go a long way in protecting against the bulk theft of password files, there is always a chance that a server can be cracked. This is especially true when you consider unpredictable attacks such as those from hacktivist groups like Anonymous.
So: How to protect yourself against the unpredictable? Below, I’ve outlined 4 crucial recommendations for better password management to help secure your data against a mass password leak.
1. Cardinal Rule #1: Never Recycle a Mission Critical Password
When you use the same password across multiple websites (Facebook and your bank, for example), if one of those sites is hacked, the other login immediately becomes vulnerable. According to a 2012 CSID study, 61% of consumers reuse passwords like this, a dangerous habit that can leave both home users and businesses at risk.
This rule is important enough when it comes to public sites like Facebook or LinkedIn (an embarrassing status update is never fun to explain), but the consequences can be dire for passwords linked to your bank account or corporate email. At the very least, group sites and applications into different categories, so private and business accounts always have a unique password.
2. Think you’re at risk? Don’t wait – change your password now!
While passwords are a vital component of many websites’ security, the reality is that they can be cracked or broken more easily than most users realize. One of the simplest ways is by comparing lists of words or character combinations with a “password cracker” (programs freely available online). Another easy way is through social engineering: a hacker can steal a password off a Post-It at the office, or pretend to be an engineer and ask for it over the phone.
The result? If you suspect that your password has made it into the wrong hands or into the public eye, time is of the essence. Even if a breach results in the leak of encrypted passwords, you could still be at risk and should immediately swap out your combination as soon as possible. In addition, ALL passwords should be rotated out between every month to every year, depending on the account sensitivity.
3. Choosing a Password: As Easy as 123456
As we stated above, password cracking tools are extremely efficient at processing letter and number combinations until a match is found. Armed with this knowledge, users everywhere need to take a hard look at the many lists of most popular passwords out there, and make a sincere effort to avoid the most common combinations.
As a general rule, avoid using conventional words as passwords (or regular words with numbers tacked onto the end, or written backwards). While passwords like these are difficult for people to figure out, they are no match for automated tools. By the same token, never incorporate personal information into a password (names, family members, pets), as social engineering attacks can easily make use of personal information to break into accounts.
What is most effective for many users is choosing a phrase with personal meaning (a pass-PHRASE, if you will), using abbreviations to avoid complete, regular words. For example, “There’s always money in the banana stand” could become Alwys$$nTheB@n@n@St@nD!
4. Help is on the Way: Password Management Apps
In the end, if the thought of memorizing a unique, complicated password for each and every account you own sounds overwhelming, take heart in the fact that you are NOT alone. Thankfully, there are already a few strong solutions on the market to help organize your passwords safely, with many more sure to come.
Are you currently using a password manager to help secure your online accounts? Let us know in the comments below, and for more on this topic and other security industry trends, be sure to follow our team on Twitter with @McAfee and @McAfeeConsumer.