A few months ago, I had written a blog – What the hack? – which highlighted the spate of hack attacks which had been happening at the time. Times have not changed much since then, and we keep on hearing about more and more passwords leaks, hacks, stolen identities and loss of personal information.
Adobe was a very notorious victim with millions of password compromised. The recent victims, about 2 million login credentials of a number of social networking sites including Facebook, Yahoo, LinkedIn, Twitter, Google and vk.com. Security firm Trustwave has discovered a trove of login credentials. Looking at the actual passwords, reveals some alarming information: a substantial number of users actually use passwords which are dead easy to guess. The most common passwords are:
Now, as website administrator we probably don’t have to tell you that you shouldn’t be using these types of passwords. So let’s come up with a few DO’s and corresponding DON’Ts. Drum these rules into the heads of your users, your better half, your kids, your parents, your colleagues, your dog or whoever uses passwords online. Do it repeatedly until they succumb to your insistence :) Think Sheldon type of insistence and paranoia.
1. Never use a simple password such as one of the above for the (super) administrator accounts of your website – it is a recipe for that account to be hacked. Do not use the following as a password: any sequence on your keyboard (qwerty, qwertyuiop, asdfghjkl, poiuytrewq, zxcvbnm), your name (or any name), your surname, your date of birth, or anything else which is easy. Don’t use dictionary words. Rule of thumb: what is easy for you to remember, is probably easy to guess!
2. DO use a complex password, or pass phrase for your most common used websites and office password. Use a phrase which is sensible to you, but nobody else, use mixed case, punctuation characters, and make it long. You will get used to it if you type it often. Examples of complex pass phrases: Mycatisn0tgrumpy! Mydogbump5intowall$, IS1ngwhenIc*ok, Iwillr3tireat40$$. You get the gist. Use something personal, which is not easily guessable. PS. This infographic might help create a strong password http://lifehacker.com/5876541/use-this-infographic-to-pick-a-good-strong-password
3. DO check your password complexity against the Password checker
4. DO use a separate password for each website you use. Do NOT reuse passwords. Password reuse allows a hacker who compromised a single password to get access to ALL your accounts. Even if you use a complex passphrase such as those in 2, do not reuse that password
5. DO enable Two Factor Authentication (2FA) wherever it is available: Google, Facebook, Twitter and Joomla! all allow you to enable 2FA. This will generate a time-limited token (usually a text message on your phone) or a password generate by an app such as Google Authenticator
6. DO use a password manager to store your passwords – especially the ones used for websites you don’t use often
7. DO NOT use the password manager for passwords where you have sensitive information such as VISA details or payment information. Your office login and password, Paypal, Google, Facebook, Amazon and your other sensitive information accounts should NOT be stored in your password manager, they should be stored in your memory ONLY!
8. DO NOT store payment information such as VISA numbers in your email account (for easy access). Also do not use your email account as your password manager - if your email account gets compromised, you want to make sure that you don't give access to your most important details.
9. DO protect ALL your passwords from prying eyes, never reveal your password(s) to anyone. Especially the ones which contain sensitive information.
10. DO change your sensitive passwords regularly - it's better to be safe than sorry
These tips may seem a little bit over the top, however seeing the regularity in which we see these types of accounts occurring, you'd better take notice and make sure that you don't become the next statistic!