During the past week, I've had a couple of professional colleagues who have been victims of password hacking by hackers -- and now have had a real mess to clean up.
A few years ago, I became aware of an excellent blog post about hacking passwords and password management of password databases through clever password creation by John P. of One Man's Blog, "How I'd hack your weak passwords."
In that posting, John gives excellent advice about creating passwords and password combinations that are difficult for hackers to hack or exploit. One of his best pieces of advice is:
Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.
And here is his chart to prove it. Look at the difference and degree of difficulty that can be achieved through clever password creation and/or password combinations -- that is, creating passwords in your password database that meet a certain length and use certain characters.
Simply by creating passwords of more than 10 characters and mixing upper and lowercase in password creation, you can make hackers work for almost two millenia to break the passwords in your password database! If your passwords don't meet this requirement, go read John's original post and get the fear of God and the importance of password creation and password management into your system. If you heed his words, you will save yourself a lot of misery. Trust me.
Some of the other excellent hints about creating passwords and password management include:
- When creating passwords, randomly substitute numbers for letters that look similar: The letter ‘o’ becomes the number ’0'' or, even better, an ‘@’ or ‘*’ or 'O'. (e.g. – m0d3ltfOrd… like modelTford)
- Randomly throw in capital letters when creating passwords (e.g. – Mod3lTF0rd)
- Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME! Every name plus every word in a dictionary will fail under a simple dictionary attack or brute force attack.
- Maybe create a password using the name of a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant -- or a combination of names (with numbers and characters)
- You really need to have different username / password combinations for everything in your password database. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn’t work if you don’t use the same password everywhere. Vigilant password management is important!
- Since it can be difficult to remember a ton of passwords, John recommends using Roboform for Windows users. It will store all of your passwords in an encrypted format in your password database and allow you to use just one master password to access all of them. It will also automatically fill in forms on websites, and you can even get versions that allow you to take your password list with you on your PDA, phone, smartphone or a USB key. If you’d like to download it without having to navigate their website here is the direct download link. Mac users can use 1Password. It is essentially the same thing as Roboform, except for Mac, and they even have an iPhone application so you can take them with you too.
- Make your master password that you use on your computer different and unique from any others.
- Use password extensions for the major browser (Google Chrome, Apple's Safari, Mozilla Firefox, Opera, etc.) to help remember and secure password. They make password management easier by maintaining your password database and providing password storage.
- Be sure to activate the login / logout feature on your computer and the lock / unlock screen feature on your smartphone as an additional line of defense.
- If you're a Mac OS user, become familiar with the keychain feature and iCloud to help synchronize your password database on all your devices: desktop computers, laptop computers, iPhones, iPods and iPads -- and whatever new devices Apple is planning.
When it comes to password applications and password software, John recommends 1Password software program. There are 1Password extensions available for Google Chrome, Safari, Mozilla Firefox and other browsers. It is available for Win OS, Mac Os and smartphones such as the iPhone, Android, etc.
I can also recommend the SplashID password software program -- which works on Win OS, Mac OS and a variety of smartphone (including iPhone and Android) and PDA platforms -- and have been very pleased with it.
There are also ways in which you can setup either 1Password or SplashID to work with Dropbox or other cloud storage and file sharing apps to take advantage of syncing the app on all your devices -- desktop computers, laptop computers, smartphones (iPhone and Andreoid) and tablets like iPads.
Last, but not least, DO NOT share your passwords with anyone - not ever your nearest and dearest. But DO leave a list of passwords with your important documents such as a will so that your accounts can be deactivated by your executor (or his/her representative) in the event of your demise.
Some day you'll thank me for sharing this.
Related articles
- The most common passwords on the Internet (matadornetwork.com)
- Tales Of Password-Hacking Woe (gizmodo.com.au)
- Future Chrome version may choose your passwords, and change them when you've been hacked (arstechnica.com)
- How the Gizmodo Crew Manages Their Passwords [Change Your Password Day] (gizmodo.com)
- Security Tip: Never Type Your Passwords (dailyblogtips.com)
- Replacing a Hacked Password (cryptosmith.com)
Loading ...
I will never want my account hacked... thanks for sharing with us! Was really helpful
Thank you for sharing this!
One of the hints that the cybersecurity gurus give @ UNH, is to use the first letter of each word in a sentence. For example, Now is the time for all good men to come to the aid of their country would become Nitt4agm2c2taotc. Or you could do something really easy to remember like \"My two cat\'s names are Oliver and Misty\" would be M2cnaO&M.
That\'s a great suggestion! Thanks for sharing it.
I think this technique will certainly beat the dictionary attack and brute force attack.
I have used Roboform but you can also have a try at Last pass password Manager. It is one of the best software and can be added as an add on to firefox browser easily. You can access your passwords and login from any where by just adding the add on.
This post is a great guide for password management. My Orkut account got hacked one, I\'ve stopped using Orkut. Now, I\'m really careful with my password.
Thanks for the post, Ruth. I think there are a number of things everyone should do to protect themselves as far as possible from hacking and viruses:
1. Use a software tracker that tells you of all/any updates required for all the software on your PC. Remember, that Windows Update only looks at Microsoft software and most people have a lot more. I uses Secunia PSI (it\'s excellent and free!) and have been doing so for about 10 years.
2. If you get a message from a friend that looks unusual (e.g. just a link with nothing else), DON\'T open that link. Rather respond to your friend to check whether they sent it (there are several of my friends who\'ve had their accounts hacked in the past month or so and emails with links are going out in their names). The same goes for files sent as attachments without a reasonable explanation.
3. Of course, it goes without saying that you need a comprehensive AV suite installed on all devices, as well as something to monitor the URLs in your web browsers and alert you to anything suspicious.
4. Don\'t use public PCs for internet banking or email at all, and restrict use to browsing only to sites not needing you to log into them. Key logging software abounds and you really don\'t want your passwords uploaded to a server somewhere.
It really is about using common sense as you said- and when in doubt, don\'t continue. Better to be safe than sorry as the saying goes.