This weekend, hackers broke into the servers of the popular shoe shopping site Zappos, giving them access to the personal information of 24 million Zappos customers. The user data taken included names, email addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers, and encrypted passwords. However, full credit card data was not lifted, and passwords were cryptographically scrambled.
But users are warned that they will fall victim to phishing scams via email. So, as always, make sure any links you click on in emails are legit. But the best practice is to never click on any!
All of the customers were required to reset their passwords, but this isn't the first time, and certainly won't be the last, that a website gets breached. So, this is the perfect time to remind everyone on the importance of strong passwords. Whether you're joining a site or resetting a password, make sure you always consider the following eight steps.
Step 1: Make Sure Your Password Is Unique
Meaning, do NOT reuse passwords on other sites or applications. If one of the sites gets hacked, that means an attacker has your login information for other sites, as well. And they can reset your passwords anywhere and take control of your data.
However, this can be a really tough task if you've created hundreds of accounts online, which is becoming the norm these days. If you just can't help yourself from reusing passwords, make sure you at least create unique ones for the important ones, i.e. email accounts, social networking sites (like Facebook), bank accounts, and any sites that have your address, credit card information, social security, etc. stored.
But you still should use unique ones for every site. If you need help remembering your logins, try creating a file that contains them and securing it with a TrueCrypt container. That way you only have one password to remember.
Step 2: Use Long Passwords
The shorter your passwords are, the shorter time and effort it takes to crack them. Don't use anything less than 12 characters if you can help it. Again, if you're using a different password for multiple sites, that's where something like TrueCrypt comes in handy. Because then you can only memorize one password (which should be extremely long!) to gain access to your other passwords.
Step 3: Use Cryptic Combinations
Do not simply type in a word or phrase. Do not spell your mother's name backwards or use your birthday digits. Do not make a password that is anything easy. Make use of the full ASCII encoding scheme to make your passwords tough.
Step 4: Lie on Password Recovery Questions
Password recoveries via email are easy ways for hackers to get into your accounts. And more than likely, if they know your name, they can find out what your mother's maiden name is, or what city your high school was in, possibly even your dead pet's name. Some sites won't allow you to skip this step, so what do you do? Lie. Fake information makes it harder for hackers to reset your passwords.
Step 5: Avoid Leetspeak
Or.... 1337-5p34k. If you commonly replace letters with lookalike numbers, then you may want to stop. If you creating really long passwords, you might be okay, but leetspeakers tend to stick to short ones, thinking it's safe. But there are leetspeak dictionaries out there, as Null Byte has pointed out, making it an easy task for hackers to decrypt.
Step 6: Change Them Frequently
Don't keep the same password for very long. Eventually, it could become compromised. The best tactic to use is changing your passwords regularly. Make a habit of doing it every other time you visit a website or at least once a month.
Step 7: Keep Them to Yourself
It's an obvious step, but don't tell anyone your passwords, even your spouse. You can only fully trust yourself, and that's it. Also, avoid storing passwords in your web browser's cache, because those can become compromised. And avoid using applications that store your passwords. The best solution is creating a document and protecting in an encrypted container, as mentioned in the first step above. Also, avoid any password suggestion software, or sites that tell you how secure your password is, because then you're not the only one who has the password now, right?
Step 8: Use On-Screen Keyboards
Using on-screen keyboards for entering your passwords can help protect keyloggers from stealing your passwords. Mac computers have the handy Keyboard Viewer that you can use. You can also defend from keyloggers using browser plugins for keystroke encryption (here's one for Firefox).
More Information
To see how hackers can actually hack your encrypted passwords, check out Null Byte's article on bruteforcing hashes. And for even stronger (and more technical) practices to use when dealing with passwords, check out Alex Long's exhaustive article on creating strong passwords.
Just updated your iPhone? You'll find new Apple Intelligence capabilities, sudoku puzzles, Camera Control enhancements, volume control limits, layered Voice Memo recordings, and other useful features. Find out what's new and changed on your iPhone with the iOS 18.2 update.
8 Comments
Well done. :) some good tips in here.
Thanks. I wouldn't know any of these things (well.. maybe the obvious ones) without all of you at Null Byte... and the rest of WHTers out there.
Haha, how flattering, thank you. I love the post :).
Good post Justin and some good tips indeed. I must admit though I'm disappointed in how some websites handle passwords. In example, some Government Departments require me to use their online services to make reports, etc. The password options I'm given? The first part of the password must start with a letter then the rest is either letters or number (with six characters maximum). What disgusts me even more is another Government website I'm with. It does not accept letters. Just numbers. 12 numbers long - that's it and I have to store some real sensitive information in it.
I also would like to add that an email layout should never be set to automatically open or expand as you don't even have to click a link to get malware. Further - GMail offers a HTML version which is probably a good idea for those who are really security focused.
Yeah, my bank has a maximum allowed 12 character limit, which I brought up as a big issue. They looked at me confused when I made my PIN 12 digits long, too.
Yeah... They've got a LONG way to go...
how one could brake this: nKlN2.Sl^mD={PxYBax,gxSWS$zYQeCO20/ik%23",aZa09fDUFW?w=TZubLe=lGQJ61#p@8Y*!W(O'uXjAt!lh'SxCgc*Cj')(%F^hr0B9oE}s36'x&t&41?JQP+MXsXmJ2E,nV[yLf{6fGZ}BZM1#w:U$UqeJK5J:gsWR*:^WMc2Dg:n"D6|f-/oX'tH![)L.wrrEDt86DNef&Mj[h(/MN1me17@YT=CVan)ML:tCZj|iy{W(TE9#Dvj)0S.Akniw(>GhviZq1~5tI6nU?o3*/TNmXtr/PI!BC)c=Uh2n\ER^hBT-;mG|va'LwCB4@7XAjse19VA%nVv2YuV~lfI<%}[SUL|yR)8+Eb1%kisBuQl3%CLNv|@%bAE(p8QH2fRCorGH/=#''FRR?k"s?kN=Z{!<!Q-.b&RYM$Ra@;"Q/9#BOp,j3'u!0Uo^%'sJR&6{b|nqY2oI'wV/.YgfP8rj3LmM7|PV@M3#{m1TwB^ZVE\Vcf#9m%WX#9S7u7J.jXGKs2T7k@N?@,RlCJ{lO+"Nsq9.y{5=%|5MffQedYLt;[lC~RmAgrj.@)cDE8E#&&yEd2>6HmM0FSE=dl#f/LD2{"|P;(<Yt^Mz9obF(kn@KA'#?"("|h''1()9=jeYl"D>a&f|lJ<JtJ-tI6Z~Qro=sF$~Rze3PXzr)BxMzM.mqT@T|LQiz-r7|r@2BkQh^)oD6zjS|<|CO5)"C>8(<I<U6\(|KKbu+QbVvv,/B-%{sbVOt\zjp9$-(&$d9A7!kJ|cKiR-luQ(e//"!U4hqP9s8t"f|^Y7r-
Could be broken (not break(en)), and what would it need, time. Little longer than our sun has though so might want to put that one aside.
Share Your Thoughts