Diligent creation of passwords a key step in online protection
By Anick Jesdanun ASSOCIATED PRESS
NEW YORK — Security experts say passwords for more than 2 million Facebook, Google and other accounts have been compromised and circulated online, just the latest example of breaches involving leading Internet companies.
Some services, including Twitter, have responded by disabling the affected passwords. But you can do several things to minimize further threats — even if your account isn’t among the 2 million that were compromised.
Tips to help you secure your online accounts:
One thing leads to another
When a malicious hacker gets a password to one account, it’s often a stepping stone to a more-serious breach, especially because many people use the same passwords on multiple accounts. So if someone breaks into your Facebook account, that person might try the same password on your banking or Amazon account. Suddenly, it’s not just about fake messages being posted to your social-media accounts. It’s about your hard-earned money.
It’s particularly bad if the compromised password is for an email account. That’s because when you click on a link on a site saying you’ve forgotten your password, the service will typically send a reset message by email. People who are able to break into your email account, therefore, can use it to create their own passwords for all sorts of accounts. You’ll be locked out as they shop and spend, courtesy of you.
If the compromised password is one you use for work, someone can use it to break in to your employer’s network, seeking files with trade secrets or customers’ credit-card numbers.
TOBY TALBOT ASSOCIATED PRESS A password attack in progress at the Norwich University computer-security training program
Many breaches occur because passwords are too easy to guess. There’s no evidence that guessing was how these 2 million accounts got compromised, but it’s still a good reminder to strengthen your passwords. Researchers at security company Trustwave analyzed the passwords compromised and found that only 5 percent were excellent and 17 percent were good. The rest were moderate or worse.
What makes a password strong?
• Make them long. The minimum should be eight characters, but even longer is better.
• Use combinations of letters and numbers, upper and lower case, and symbols such as the exclamation mark. Try to vary it as much as you can. “My!PaSs-WoRd-32” is far better than “mypassword32.”
• Avoid words that are in dictionaries, as there are programs that can crack passwords by going through databases of known words. These programs know about such tricks as adding numbers and symbols, so you’ll want to make sure the words you use aren’t in the databases. One trick is to think of a sentence and use just the first letter of each word — as in “tqbfjotld” for “the quick brown fox jumps over the lazy dog.”
• Avoid easy-to-guess words, even if they aren’t in the dictionary. Avoid your name, company name or hometown, for instance. Avoid pets and relatives’ names, too. Likewise, avoid things that can be looked up, such as your birthday or ZIP code.
One other thing to consider: Many sites let you reset your password by answering a security question, but these answers
— such as your pet’s name or your mother’s maiden name — are possible to look up. So try to make these answers complex just like passwords, by adding numbers and special characters and making up responses.
A second layer
Many services offer a second level of authentication when you’re accessing them from a computer or device for the first time. These services will send you a text message to a phone number on file, for example. The text message contains a code that you need in addition to your password. The idea is that a hacker might have your password but lack ready access to your phone.
Facebook, Google, Microsoft and Twitter are among the services offering this dual authentication. It’s typically an option, something you have to turn on.
All good, but these days, we must be ever more diligent. Tho I have posted on this subject a number of times, it never gets old and sometimes we can pick up even one new idea to help us stay protected (as we can). Want to mention that I have obviously become a new target for snoopy scammers out there — they literally are crawling out of the floorboards, I guess.
My computer’s inbox has been receiving almost daily notices that my recent order from Target, Costco and a few others has been cancelled due to the fact that my address was incorrect. I should immediately call a certain number or contact other cite to amend my information history. And so on. Easy for me to spot these as I don’t shop at those stores so I quickly deleted them. I know better than to open any email I am not sure of or truly recognize – one of the easiest ways to “receive” terrible virus destruction to my costly investment. How dare they! But so many do, and I bet its working on some.
Another nuisance which could be ruinous is recent demands alerting me to the change in schedule — I must appear in court on such and such a day and at a particular time. It’s all terribly official sounding, however, no court case or document is being cited, nor even any particular information documenting what any of this is about. One is advised to respond by XXX(as above) It does take a bit of courage to delete what could actually be an important legal proceeding — but really doubt that anything of any value is going on as this is the first I would know about it. So ZAP! I’m just sayin’ take care, Jan)