In the recent Yahoo! security breach, 400,000 passwords were compromised. The most shocking part about it is the passwords were stored unencrypted. Thats right.. clear text unencrypted.
Between this most recent breach, LinkedIn, and countless others, other than quitting the internet – what can you do about it to protect yourself?
The following are five simple steps you can take right now to protect yourself and your online accounts:
1. Use Complex Passwords.
Complex passwords are passwords with at least 8 but preferably 10 or more of the following types of characters:
- Lowercase letters (a-z)
- Uppercase letters (A-Z)
- Numbers (0-9)
- Special characters (!,@,#,$, etc)
Why is this important? Brute force attacks. Basically a brute force attack is an automated program that tries all combinations of characters.. A short password of 5 characters can be figured out in a few minutes. Sure, many sites have security measures to make this more difficult.. but with random hits coming from a botnet, maybe not so much.
2. Do Not Use Dictionary Words or Commonly Used Passwords
To make a password attack even more efficient, an automated program will first run through a dictionary to see if any of those words are the password. That’s even faster for it to run through than guessing characters.
In addition to not using dictionary words, don’t use passwords like 123456, abc123, password, letmein and so on. Everyone knows those passwords are the most commonly used passwords.
A rule I like to follow when creating a password is: Don’t make a password a 6th grader can figure out. So avoid straight dictionary words, and commonly used passwords. I recommend taking some words that have a meaning to you and mixing them up with letters, characters, capitals and numbers.
3. Tread Carefully With Password Reset Questions
Remember when Sarah Palin’s email was compromised a few years back? How’d they do it? Were they super genius hackers? No. He clicked the “I forgot my password” button on her Yahoo! account and answered some simple security questions with the help of a Google Search.
So, your super secure password is easily reset if your security questions are simple enough that someone can guess them or Google them.
My recommendation is to use answers that have special meanings to you. Such as “What city did you meet your spouse in” can become something more personal such as where you went on your first date. Or you can just blatantly make something up. So you met your spouse in New York? Put Tokyo. Be creative. Just don’t forget them if you decide to make a bunch of answers up!
4. Use Many Different Passwords
With different passwords for each site, if one is compromised at least you don’t have to worry about ALL your accounts.
A best practice would be to have important accounts like your online banking, email, bills, social networking and shopping (eBay, Amazon, iTunes) all use different passwords.
Then you can have one or two other passwords to use for small sites that you dont really have to be secure about like forums, and stuff you’ve signed up for.
Note: If you’re password-memory challenged, don’t fret. Use a Password Manager program such as 1Password, KeePass or have Firefox / Chrome / Safari remember your passwords for you. Just make sure you backup your profile, put a master password on it to keep it secure and lock your computer if you step away.
5. Change Your Passwords Semi-Frequently
You know how at work, you’re hounded every 30, 60 or 90 days to change your password? There’s a few reasons for that. First, If your password is compromised – it’s only good for 30, 60 or 90 days. Its bad if your account’s been broken into but at least it’s mitigated. Second, if someone gets hold of some password tables from a database – say from a backup stored offsite, the passwords are no good if they’re older than your password’s expiration date.
Changing your passwords somewhat frequently is a great way to take advantage of this mindset to secure them. That way, if old data is breached, you’re fine. You haven’t used that password since 2005!
However, you don’t need to change them every 30 days. Something a little more reasonable like once or twice a year is probably more appropriate.
Note: If you change your password every few months but keep recycling the same two or three, you start to lose the benefit of changing your password. So don’t recycle them.