Seems to be a hot topic these days. More and more I’m seeing headlines about passwords being broken. Phishing attempts leading to access to online bank accounts. Email accounts being compromised. I work for a web hosting company and rarely a week goes by without at least one customer calling to say that their hosting account has been taken advantage of in some form, usually through a broken password.
It honestly seems like people these days don’t put enough importance on the security of their password. In the recent email compromise, of all the Hotmail accounts that were taken advantage of the most common password used was ‘12345′. I mean come on folks, surely something a little more difficult isn’t that hard to remember? And some of you reading this might snicker but if you have a regular dictionary word (as in a word that can be found in the dictionary), then your password really is no safer. Sure change the vowels to numbers, hackers never thought about trying that.
Another way of loosing your password is a compromised computer. Using a Windows PC and not keeping it well protected and instead covered in viruses and spyware, is a sure fire way to get your passwords stolen. A common method this year for hackers to gain access to FTP accounts to modify websites is to have spyware on a computer, wait for you to connect with FTP (not encrypted, unsecured) and just read the password since it’s sent plain text. Use sFTP if it’s available, it’s encrypted, it’s safe.
I did a couple generic searches for “common passwords” and the such. You’d be surprised what you’d find. There are wide ranges of lists out there because every one gets data from different places. But some of the common ones I see are ‘123456′ or ‘letmein’ or my personal favorite ‘password’. Oh come on people you are just asking to get digitally raped with a password of ‘password’, seriously that’s the best you could come up with?
I’m not even saying we have to be crazy when thinking about what password we have to use. Such as 24 digits of lower and upper case letters as well as numbers. That’s paranoid right there. But you should be keeping it at probably 8-9 letters and numbers, at least. And this should be a random set of values. I hear a lot of people saying, but I can’t remember it. Well, there are password managers out there. You remember one password, and the manager remembers hundreds, even generates random ones for you if needed, and can auto type them for you if you’d like (I use TK8 Safe or Data Guardian for Mac).
For the most part, the main stream hackers that are online are generally lazy you might say. They are not going to put any real effort into taking advantage of your accounts. They want lots of accounts. They don’t want to spend a week hacking just one account, when they can throw up a phishing site and get the passwords for 100’s of accounts. Or throw some spyware out there and just wait for people to connect to FTP. Even just hitting accounts and trying the top 100 passwords would get them many many accounts every day without any real effort. So you really don’t have to put much effort into keeping a password secure, just the basics and here they are:
- Don’t use dictionary words – use something a little more random, once you decide spend 20 minutes writing it down or typing it out over and over, repetition will help you remember, or use a password manager if you have lots of accounts and want to use different passwords.
- Keep your computer clean of viruses and spyware – get some decent software to provide this protection. Microsoft even offers a free program now.
- Be wary of emails about any of your accounts – email phishing attempts are huge. If your bank emails you saying visit your account, don’t click their convenient link, instead you know the address type it in yourself, same for email accounts, paypal, etc. Don’t risk that the email is just a phishing attempt and is going to send you to a look alike page to steal your password.
- If connecting to a hosting account use sFTP where possible – FTP is not encrypted, always choose your encrypted option when possible.
No related posts.