8 password tips to beat hackers
Protecting your passwords online has never been a more urgent matter. This summer, Yahoo users were jarred by the news that hackers had breached the accounts of more than 400,000 people. Fortunately, the hackers weren't out to turn a quick buck by stealing financial information. They claimed their motive merely was to provide a "wake-up call" for better security.
In recent years, hackers have struck across the Web, compromising passwords stored by LinkedIn, Sony and other companies. Given the growing prevalence of the attacks and the high stakes, security experts are scrambling to educate the public and promote tools and best practices for online security.
Like many experts, consultant Chris Kimmel with the Cleveland-based Internet security firm SecureState was alarmed by what he saw with the Yahoo breach. "A lot of people used the same password or similar passwords, which makes it incredibly easy for the hackers," he says.
An analysis of the compromised passwords showed that "123456," "password" and "welcome" were among the most common.
Follow these tips to be more password-prudent.
Make your password challenging
You've probably heard some of this before, but online security experts agree that one of the best things you can do to protect yourself is to choose a challenging password, which makes it harder -- but not impossible -- for the bad guys to crack your defenses.
"Security is a relative concept," says Kimmel, "so it's not about choosing a password that's impossible to crack as much as it's about making yourself a relatively hard target for hackers, because they won't waste the time when they could just move on to easier pickings."
Here are some common recommendations for choosing and maintaining a strong password.
- Change your password often. Some companies have employees swap out passwords each month. Security industry recommendations vary from 30 to 90 days between changes.
- Use at least eight characters, ideally more.
- Avoid dictionary words, in any language. If you must use one, it's best to intentionally misspell the word.
- Avoid words spelled backward and common abbreviations.
- Don't use personal information, such as your birth date, anniversary, etc.
- Use at least one number, symbol and lowercase and uppercase letter.
- Diversify by using a different password for each account.
Test your password
Heeding the advice for selecting a strong password isn't enough. You should then put a new password through an online testing tool before you put it into use.
The Safety & Security Center at Microsoft.com offers one testing tool. There's also HowSecureIsMyPassword.net, which estimates how long it would take a hacker to crack a fresh password. And, PasswordMeter.com scores your password across more than a dozen categories.
Some online retailers and other popular sites offer their own password tests. But experts say while those are nice features, consumers should not rely on them too much.
"When a site like Amazon offers to test your password, that's really great and it can tell you if your choice is strong or weak," says Marian Merritt, the Culver City, Calif.-based Internet safety advocate for Symantec's Norton security software. "But consumers shouldn't be lulled into a false sense of security because Amazon doesn't know if you're using that password elsewhere, which of course would make even the strongest choice vulnerable to attack."
Don't use a throwaway password
When you join a new website where you don't expect to use your credit card, you might be tempted to use a "throwaway" or junk password. You might pick a simple, easy-to-remember word or phrase -- and then you might wind up reusing this password across multiple sites where you think the risk of a security breach is low.
But there's really no such thing as a junk password, says Merritt.
"People who create throwaway passwords are really opening up a door for the hackers," Merritt explains. "They're easy to remember, so they can be easy to crack, but the real danger is that people use them for dozens of sites, which means widespread exposure."
Often, these passwords aren't meant to directly protect vital financial information, so the risk of identity theft might seem low in the event of a breach.
But breaches on nonfinancial sites -- especially social networks -- can still be severe because hackers often use the consumer's profile to spread malicious or embarrassing links. And even if the passwords aren't guarding your most sensitive information, it's just good to be in the habit of thinking about online security, says Merritt.
Use a password manager
Given the sheer number of passwords we tend to use every day, you might go a little mad trying to keep track of them all. In recent years, technology professionals have begun advocating the use of password managers, which are good for both security and sanity.
"Hands down, a password manager is the best way to protect yourself without going crazy," says Merritt.
LastPass, 1Password, KeePass and Password Safe are just a few of the many good choices out there. And says Kimmel, some of them are available for free.
While the particulars of each password manager vary somewhat, they all have some core similarities in terms of how they work.
To use one, consumers need only remember a single password. Password managers then store and may even create passwords for every site you visit, automatically signing you in whenever you log on. You want to choose a password manager that encrypts the information. Some password managers will store the data locally (on your desktop) while others use the off-site "cloud."
Guard your phone
Given the rising popularity of smartphones and features that make it easier for consumers to bank and pay their bills with their mobile devices, it's not surprising that security experts such as Kimmel worry a great deal about what can happen when a smartphone falls into the wrong hands.
"To be blunt, phones are a major cause for concern in the security community because even though you can -- and should -- password-protect them, the passwords aren't all that long, which makes them relatively easy to crack," says Kimmel.
According to Kimmel, there are some apps that let you beef up the password on your phone and even lock the phone remotely if it's lost or stolen. In those cases, it's a good idea to change your password if you get the phone back.
Merritt shares this cautionary tale: "We did an experiment where we left 50 phones around the country," she says. "Most of the people who found the phones ended up returning them, but not before they tried opening various apps, including the banking and mobile payment apps we had on the phones."
Pay attention to the news
When a company suffers a security breach, state laws usually mandate that customers be notified in a timely fashion. But because the laws vary, and because the news media may often have the story before the company has had time to notify affected customers, Merritt says it's a good idea to check in regularly with a trusted technology news source.
"It's not uncommon to find out about a breach from a tech news site before the company notifies you," she says. "So if you hear that a company you use has been breached, it just makes sense to change your password, even if it ends up that your password wasn't compromised."
Know your cloud provider
Whether you realize it or not, there's a good chance that some or all of your data are being stored in the "cloud." That's not a bad thing because it allows you to remotely back up your data and access it from multiple devices anywhere on Earth. But if you choose to back up your hard drive to the cloud (something many computer experts recommend to safeguard against losing all your data if your computer crashes), it's important to know the cloud service you're dealing with, so you can feel confident your password(s) will be safe.
"Like anything else, you want to stick with well-known, reputable brands," says Dave Wolf, vice president of strategy at Cynergy Systems, a software design and development firm.
Watch your back online
Even the best technology safeguards won't protect us against our own risky behavior, and we can all do a lot better in that department, says Emery Berger, an associate professor of computer science at the University of Massachusetts at Amherst.
"Consumers need to beware of phishing attacks that pretend to be a particular Web page -- for example, you get a prompt from a Web page to enter your Facebook password, but the URL is not actually Facebook, so your password gets sent to a hacker," Berger says. "The key is to check the URLs and make sure that the little 'lock' icon appears, indicating that the information is going over a secure connection."
Beyond keeping a sharp lookout for threats to your online security and passwords, it's also critical to grab every software update -- something many of us put off at our peril.
"Microsoft, Apple and others are in a constant battle to fix their programs to guard against security vulnerabilities," says Berger. "As soon as they update their software, everyone out there knows what the vulnerabilities are, so you are vulnerable until you update."