Passwords

I ran across an article today in USA Today about a security consultant who had released a database of over 10 million usernames and passwords that have been collected from various hacks over the years.   In releasing this database, his point is that these lists are already widely available on the Internet to malicious users, and so this is not really causing things to get worse, but creates a database that security professionals can use to analyze their password databases to see how secure they are.

I will agree that password lists of this variety are widely available on the Internet.  Here's how it goes.

1. A list of usernames and passwords is stolen from website A
2. This list is bought and sold on the underground Internet.  Think of this as an eBay style marketplace for malicious characters
3. Someone writes a script to use the stolen username/password list to attempt to login to website B.
4. Since many users re-use the same username/password combination, the malicious user is able to login to site B under your identity.
5. Usually, they don't just stop at one site, but try hundreds of sites.

What do they do?  Perhaps it is to get personal information to use for identity theft.  Perhaps it is to transfer spam other accounts with some sort of marketing message.  Who knows,  But it is something you would not do with your account, and that is a problem.

There are a couple of root causes here.  The first one is that securing a site with only a password is actually a pretty weak form of security.  That is why you see companies like Google, Yahoo! and Twitter moving to two factor authentication where ever they can.

Second, way too many of us use the same password on multiple sites.  Even if we have a strong password, all it takes is any one of those sites to be compromised, and our once strong password is on a list somewhere being bought and sold on the shady side of the Internet.  And now, all it takes is someone with a little bit of scripting knowledge, and most if not all of the accounts we own can be compromised.

Securing Your Accounts

You need to take action now.  Not tomorrow, not next week, not next month.  Today.  Preferably now.

Get a Password Manager  -- You need to have a different password for each account.  Period.  This way if one site gets hacked, then your data on that site is compromised and not every site.  But you will never remember all of these passwords.  So get a password manager that will securely store all of the new, strong passwords you are about to create.

I myself like KeesPass.  The main reason I like it is that it lives on a USB stick.  I do not want to store my passwords in the cloud somewhere, because anywhere in the cloud can be hacked.  Sure, my PC can be hacked too, but the reward of hacking my PC is just getting my passwords.  The reward of hacking a cloud based password manager is getting a whole lot of people's passwords.  And if anyone has forgotten, anything in the cloud can be hacked.  I can take a USB stick out of my PC and secure it when it is not in use.


Change the Password on Your Most Critical Accounts -- This would be all of your email accounts, so Google, Yahoo!, Hotmail and the like, and accounts like Facebook and Twitter.  On most sites, if your password is changed or a significant event occurs, they email you.  But if your email is compromised, then a hacker can better cover their tracks.  Eventually you want to change all of your accounts, but these are the priority accounts to change.  And again, use your new password manager to generate all new, random strong passwords twenty or more characters in length.  You want to make things as hard as possible for the bad guys.

Turn on Two Factor Authentication Where Available --- Google, Yahoo! and Twitter all have it.  Usually this means that if you want to connect a new device to one of these accounts or perform a password change, they are going to send an SMS message to your phone so you can verify that indeed it is you making the change.  If you get an SMS message that you did not initiate, you know something is going on and you can react to it.

This is not perfect.  If someone gets a hold of your phone, they probably also have access to your email.  But this is much better than just having a password.  Its another mechanism to authenticate that it is really you logging in to your account, hence the name two factor authentication.

What Next?

These are your most critical accounts, but if you are like me, you could have 100 or more accounts out there.  So come up with a list and prioritize these accounts to change to all new unique passwords.  Try to do five a day for the next week.  Its not fun, it takes time, but it is less time than it takes to clean up from someone using your account for activity you did not authorize.

The point is, we all have to start being much more proactive about security.  Bad guys aren't going away.  People selling password lists are not going away.  Companies will still store passwords and other data insecurely.  But we cannot be the victim.  We have to do everything in our power as consumers to make it harder for the bad guys.  And when it comes to companies that do not securely store our information, we need to vote with our dollars to take our business elsewhere.