Oct 7, 2009

Disturbing Password News

Over the last week there have been many reports of how tens of thousands of email addresses from MSN, Yahoo, AOL, Google, Comcast and Earthlink have been compromised in what is believed to be a large scale phishing operation.

Today, an analysis of the leaked passwords was released and published by Wired:
A researcher who examined 10,000 Hotmail, MSN and Live.com passwords that were recently exposed online has published an analysis of the list and found that “123456″ was the most commonly used password, appearing 64 times.
This is extremely disturbing, but what is equally disturbing are results about password-reuse recently published by Tim Nash, an Information Architect:
A scary 92% of people use the same password across all websites including their email accounts.
What most people don't realize is that if you lose control over your email account, then you've effectively lost control over ALL of your accounts. Once your email account has been compromised, a hacker can easily use the 'password reset' feature for all of your other accounts
to gain exclusive access to them. If you use the same password across multiple sites, then all of them are only as secure as the least secure site: an attacker simply has to break the weakest link in the chain.

Here are some tips to help protect yourself in the future:
  • Use a password manager like LastPass to generate complex-secure-random-unique passwords for all of your accounts
  • Never click on links within emails to open websites - always manually type the URL in the browser search bar or find it using a Search Engine
  • Avoid using untrusted computers or networks to access your critical accounts
  • Change the password to your critical accounts routinely
If you use LastPass as your password manager, consider increasing security
by using LastPass One Time Passwords. LastPass Premium members can also use a YubiKey, and/or LastPass Sesame to gain the benefits of multifactor authentication.

3 comments:

  1. First, I love last pass.... BUT... you point out that "if you lose control over your email account, then you've effectively lost control over ALL of your accounts". Can't one also say "if you lose control over your LastPass account, then you've effectively lost control over ALL of your accounts"?

    ReplyDelete
  2. Yes - it's similar.
    But, you're already accepting this risk simply by having an email (unless you use a different email or every single one of your accounts or dont associate your email address with your accounts). Most people simply don't realize this.

    So, even if you don't use LastPass, you STILL have this security issue to deal with.

    How does using LastPass help?

    1. We automatically generate cryptographically strong passwords for you encouraging you never to reuse passwords and eliminating the 'weakest link' mentioned above.

    2. We automatically fill in your username and password on websites. This helps mitigate two types of very common attacks:
    Phishing : If you visit a phishing site of www.mybank.hackersite.com then your credentials form mybank.com will NOT be automatically filled - which should make you suspicious.
    KeyLogging : We automatically fill your credentials without having you manually type them in with your keyboard, so common key-sniffing programs can't get it.

    3. We offer One Time Passwords and multifactor authentication solutions to greatly increase the security of your LastPass account itself.

    ReplyDelete