We often complain about the hassle of changing and maintaining passwords for the various web sites we use. Unfortunately, recent events (and many events before those) serve to aver the criticality of keeping our passwords — and our online identities and data — safe.
High-traffic sites are often targeted for account attacks, due to the sheer volume of data they can provide: gaining access to a large site’s password store alone could arm an attacker with several thousand new entries to add to existing ‘dictionaries’ used when attacking other sites. The logic: if a user enters a password for one site, it’s likely they’ll use the same password again. And now the attacker is aware of that password and can automatically try it at any other site they may attack.
Recently, UbuntuForums.org, the forum site for the popular Ubuntu Linux distribution, was attacked; they’ve revealed that “the attackers have gotten every user’s local username, password, and email address from the Ubuntu Forums database.” The caveat in this case is that the passwords are “salted hashes”, or encrypted strings that are not readable as plain text.
Of course, UbuntuForums is not nearly alone: in the past few weeks, several high-profile sites have been hacked successfully and had their users’ data stolen, including Apple’s Dev Center site and Ubisoft’s gaming user account site.
It can be daunting and somewhat frustrating to consider using separate passwords for each site you visit, or to create a relatively secure password that may not be the simplest combination of characters to remember. But there are really good reasons for lending this your careful consideration. Several years ago, tech guru and blogger John Pozadzides authored a post on how he’d “hack your weak passwords,” not with malicious intent but to enlighten the unaware of how easy it can be for hackers to guess some of our “clever” passwords with little to no effort, and to offer some simple advice on creating better passwords. This post’s content is dated only by its timestamp and remains very much relevant today: it’s well worth a few minutes of any web user’s time and may just elicit a “How did he know I use that for my password?” or two as you read it through.
My advice is simple:
- Don’t use the same password for more than one site. It’s quite possibly the hardest piece of advice to resist, but it’s also the only way to guarantee that one hacked account will not automatically lead to more hacked accounts.
- Use a password application to help keep and organize your passwords for web sites you visit. Many of these applications can generate secure, random passwords for you, and some give you copy-and-paste access to those passwords so you can dump them right into your favorite web sites without typing (or even having to remember) them. Some password managers are even smart enough to enter passwords for you as needed. A few completely free examples of such applications are KeePass, (which I use in Linux, OS X, Windows, and Android) and LastPass; there are many others out there with varied features and at varied costs.
- Use a secure password to protect your password application data. This may be the only password you’ll really have to remember or to keep somewhere safe, so make sure this password is a good one. The rest of your passwords can live safely and happily inside the password manager itself; you just need a good password to protect all that data inside. Just remember: anyone who knows this password can see the rest of your passwords.
- If you use multiple devices, you can simplify your digital life by synchronizing your password data with a cloud storage provider service, such as Dropbox, Box, or SpiderOak. If you save your password data in a location on your device synched with one of these services, any new passwords or changes you make can be instantly synced across the ‘Net on all of your computers and devices. If you do choose to go this route, as with the application password above, ensure that you choose a secure password for the storage service as well.