This weekend, hackers broke into the servers of the popular shoe shopping site Zappos, giving them access to the personal information of 24 million Zappos customers. The user data taken included names, email addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers, and encrypted passwords. However, full credit card data was not lifted, and passwords were cryptographically scrambled.
But users are warned that they will fall victim to phishing scams via email. So, as always, make sure any links you click on in emails are legit. But the best practice is to never click on any!
All of the customers were required to reset their passwords, but this isn't the first time, and certainly won't be the last, that a website gets breached. So, this is the perfect time to remind everyone on the importance of strong passwords. Whether you're joining a site or resetting a password, make sure you always consider the following eight steps.
Meaning, do NOT reuse passwords on other sites or applications. If one of the sites gets hacked, that means an attacker has your login information for other sites, as well. And they can reset your passwords anywhere and take control of your data.
However, this can be a really tough task if you've created hundreds of accounts online, which is becoming the norm these days. If you just can't help yourself from reusing passwords, make sure you at least create unique ones for the important ones, i.e. email accounts, social networking sites (like Facebook), bank accounts, and any sites that have your address, credit card information, social security, etc. stored.
But you still should use unique ones for every site. If you need help remembering your logins, try creating a file that contains them and securing it with a TrueCrypt container. That way you only have one password to remember.
The shorter your passwords are, the shorter time and effort it takes to crack them. Don't use anything less than 12 characters if you can help it. Again, if you're using a different password for multiple sites, that's where something like TrueCrypt comes in handy. Because then you can only memorize one password (which should be extremely long!) to gain access to your other passwords.
Do not simply type in a word or phrase. Do not spell your mother's name backwards or use your birthday digits. Do not make a password that is anything easy. Make use of the full ASCII encoding scheme to make your passwords tough.
Password recoveries via email are easy ways for hackers to get into your accounts. And more than likely, if they know your name, they can find out what your mother's maiden name is, or what city your high school was in, possibly even your dead pet's name. Some sites won't allow you to skip this step, so what do you do? Lie. Fake information makes it harder for hackers to reset your passwords.
Or.... 1337-5p34k. If you commonly replace letters with lookalike numbers, then you may want to stop. If you creating really long passwords, you might be okay, but leetspeakers tend to stick to short ones, thinking it's safe. But there are leetspeak dictionaries out there, as Null Byte has pointed out, making it an easy task for hackers to decrypt.
Don't keep the same password for very long. Eventually, it could become compromised. The best tactic to use is changing your passwords regularly. Make a habit of doing it every other time you visit a website or at least once a month.
It's an obvious step, but don't tell anyone your passwords, even your spouse. You can only fully trust yourself, and that's it. Also, avoid storing passwords in your web browser's cache, because those can become compromised. And avoid using applications that store your passwords. The best solution is creating a document and protecting in an encrypted container, as mentioned in the first step above. Also, avoid any password suggestion software, or sites that tell you how secure your password is, because then you're not the only one who has the password now, right?
Using on-screen keyboards for entering your passwords can help protect keyloggers from stealing your passwords. Mac computers have the handy Keyboard Viewer that you can use. You can also defend from keyloggers using browser plugins for keystroke encryption (here's one for Firefox).
To see how hackers can actually hack your encrypted passwords, check out Null Byte's article on bruteforcing hashes. And for even stronger (and more technical) practices to use when dealing with passwords, check out Alex Long's exhaustive article on creating strong passwords.