Tips on avoiding disaster with your online passwords
Source: Paul Hillman
More than 6 million passwords hacked from LinkedIn, and LinkedIn isn’t even telling you if yours was one of them. Even eHarmony, for crying out loud, was hacked and its users’ passwords leaked. Is all fair in love and war? Really?
Well, duh. And speaking of that, you’ve changed your passwords on those sites, and all the others where you used the same passwords, right?
So your online security is �C as it’s really always been �C on you, self-applied blinders notwithstanding. And that little meter with the red, yellow and green graphic that tells you how strong your password is? It’s essentially useless in the face of the myriad brute-force decryption programs out there.
We all tried those little two-factor authentication key-fob gizmos �C but you lost it, didn’t you? Or dropped it in the lake.
So now what? Can a human really create a strong password? Can even some dropped-a-can-of-soda-on-the-keyboard password like “4zRq29B” beat really determined hackers? Not necessarily. Besides, that password, while incredibly hard to guess, is just as hard to remember.
But I just bought a savings bond for my goddaughter’s high school graduation with PayPal. Every time I access my PayPal account, I use two-factor authentication. It’s based on what I know �C my password �C and what I have �C my cell phone.
I told PayPal I would always have the phone with me, so now it sends my cell a special text string when I access the account. I use that one-time password (OTP), along with my regular harder-to-guess password, with PayPal within the next 30 seconds and, voila! I’m in, and hackers aren’t. The string can’t be faked, and cannot be entered by keyboard. That’s important because, so far, brute-force decryption only works with manually entered passwords.
You can access the same kind of two-factor authentication on sites that offer it, too. And you should ask those that don’t to do so.
But for those that don’t, that’s where CAPTCHA comes in. That’s the challenge-response test that differentiates between humans and computerized decryption hacks by forcing hapless humans to read bizarrely formed or masked letters and numbers, and input them along with a password or online order form.
Oddly, we’re getting closer with online security to the “my voice is my password, verify me” voice password that users of a certain age will recall from the 1992 Robert Redford/River Phoenix movie, “Sneakers.” Biometrics similar to that is the “next big thing” in password security.
It may not be long before Web users start uploading their photos to sites they use regularly. Then, your webcam will automatically switch on, take a photo of the person trying to log onto a site, and use facial-recognition software to compare the new picture with one on file. Or it could be voice recognition. Another form of biometrics that could come online is fingerprint ID, through your keyboard.
In the meantime, you have password management software options, including RoboForm, LastPass or 1password, to create and manage your stable of passwords. Make sure you’ve got the latest versions, especially on Macs. There were glitches with some recent versions.
Go ahead and grouse about actually bestirring yourself to act but, if security is lacking on any site you use, all the security in the world at your bank or credit-card company won’t matter if you use the same password there that you use at other, potentially less-secure sites.
Password tips
Changing your passwords from “123456” �C the second-most popular password behind the word “password”�C to “654321,” does not comprise “security.” Especially since “654321” is the 21st most-used password.
If you don’t, won’t or can’t use more technical security improvements, at least try to build some better passwords:
• Abbreviate initials and numbers from an extended phrase, mix up the cases, and throw in a special character: 2Bon2b* comes from Shakespeare’s Hamlet: "To be or not to be…” (That’s an example. Don’t use it.)
• Or use three unrelated, untraceable words or number sets. No birthdays, grandkids’ nicknames, phone numbers, anniversaries, high schools, pets, license or Social Security numbers, or anything else that could appear on any website anywhere. Separate short words with spaces or non-alpha-numeric symbols known as “special characters.”
• Consider 12-character passwords, rather than six or eight characters. More websites are allowing passwords up to 15 characters.
Paul Hillman is a partner at C/D/H, a Grand Rapids-based technology consulting firm.
| }
|