Password security is in the news again, as it is revealed that hackers had managed to break into the accounts of many Twitter users.
Many of the affected Twitter users had previously registered on P2P file-sharing sites - and hackers had been able to enter the sites through a backdoor and grab their account information (including email address and password).
Although a username and password for a torrent-downloading website may not seem very valuable, it does have a significant worth if the same email address and password is being used for a social networking site like Twitter too.
As we've explained before, you should never use the same username and password on multiple websites. It's like having a skeleton key which opens every door - if they grab your password in one place they can try it in many other places.
Also, you should ensure that your password is not a dictionary word, and is suitably complex that it's hard to break with a dictionary attack.
Here's a video which explains how to choose a strong password, which is easy to remember but still hard to crack:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
Don't delay, be sensible and make your passwords more secure today.
Follow @gcluley* Image source: canonsnapper's Flickr photostream (Creative Commons)
I disagree with "Unique passwords are a requirement, not a luxury". This is not practical, hardly anyone follows this advice, and I'd be curious to know whether Chester Wisniewski follows his own advice in this regard (and if so, how many sites is he registered with?)
My advice is to have 2 low-security passwords: one widely used one for non-sensitive sites and another less often used one for more sensitive sites, PLUS a unique password for each internet banking/paypal type account.
And of course all web sites should use salted cryptographic hashes, salted with the username plus a secret site-specific salt.
I'd take the focus of this article a step further and say, "A good password MANAGER is a requirement, not a luxury." I had to watch the entire video to catch the segue from how to create a password you can barely remember or type, to how to leverage that one good password to let you into all your accounts which have even stronger and totally unique passwords - by using a password manager.
I think people need to know which managers are the most secure and the easiest to use.
To that end I have just written a Password Manager Feature Manifesto to help compare one password manager against another: http://glenpeterson.blogspot.com/2011/01/top-10-t...
A good password manager can reduce the average user's password-related hassles while making them orders of magnitude more secure online.
The biggest causes of insecure passwords, besides user laziness, are:
1. Refusal of some sites to allow numerals, special symbols and punctuation.
2. Refusal of some sites to allow spaces. A short sentence, even if it's only lower case, vastly increases the difficulty of a brute-force attack.
3. Refusal of some sites to accept passwords without non-literal characters. They apparently rate security solely on the types of characters, not length. So users are forced to use passwords with hard to remember spelling, even if they're savvy enough to use long sentences instead.
4. Most mind boggling, some sites set ridiculously short length limits for passwords, 10 or 12 characters.
I have 88 passwords stored in KeePass, which is secured by a long password. The passwords include not only websites, but hardware, like my wireless router. All of the passwords are very long unless the website is too stupid to support long passwords (there are at least two I can think of).
I've found that I have to memorize 5 passwords using KeePass: one for KeePass, one for the PC at home, one for the Debian GNU/Linux root (admin), one for the PC at work, and one for my encrypted flash drive (using TrueCrypt). I suppose I could keep the root password in there, but that just seems lazy, and when I need it I have to enter it often, so KeePass is more annoying than useful.
I was also successful at getting my wife to store her passwords in the KeePass database and setting her passwords to long, random digits. She even memorized a long random password for her email. So she has to remember one password primarily (email) and occasionally she needs one from the database.