Password hacking

**mae** · 06-08-2012 10:48 AM

I'm sure most of you have heard the news of this recent hacking attack on LinkedIn and several other networks, where millions of passwords were compromised. This, of course, wasn't the first such case by any stretch, but it was the final straw for myself to switch to something a little more sophisticated than my brain for passwords. This is a very serious threat. As an Internet user from way back in the early to mid 1990s, I know all about passwords. Shamefully, I've been using some of the same passwords which I thought were very clever on multiple sites to log in to different types of networks. This is bad. Of course, I knew that, and I knew that in a perfect world you would have a gibberish, randomly-generated password for each login that you have. Which, in this day and age, is lots. So this is why I completely switched to LastPass, and I strongly urge everyone to do so. There are many different password management systems, but none as sophisticated and secure (which is super important) as LastPass. And, no, I don't work for them, and the thing is free anyway.

http://www.theatlantic.com/technolog...-today/258264/

One of many topics I've "meant" to get to "as soon as I have 'time' " is the various ramifications of the Gmail hacking episode my wife endured last year, in which six years' worth of her correspondence and life-records disappeared. I chronicled it originally in the magazine, and ran a large number of follow-ups.

There are lots of new twists I've meant to go into, at some point: "strong" versus "weak" passwords, Gmail versus other online services, the pluses and minuses of online password utilities (I use and like LastPass), Google's new "state-sponsored hacking attempt" warnings, and on through a very long list.

For now, here is the single most important thing you must do today, if you're concerned about these hacking stories -- as you should be.

Today's Must-Do List: Make sure that any account that matters to you has its own password.

For me that means, as a minimum: email, banking, credit cards, medical info, investment accounts, Twitter, Facebook. The standard should be: anything that would cause you loss, embarrassment, inconvenience, harm, or worry, must have its own password. If it doesn't, you're asking for it to be hacked.

I don't care that my local OpenTable account (for example) has a weak password I've used elsewhere. No harm, no foul if it gets hacked. It's different with banking, email, etc.

It matters much less that each "this account matters" password is "strong" or "weak" than that it meets these two standards:

- You cannot be using it for any other online account; and
- You cannot ever have used it for any other account.

I quoted a Google official (and friend) on the logic behind this step in my original story:

"Using an important password anywhere else is just like mailing your house key to anyone who might be making a delivery," Michael Jones of Google said. "If you use your password in two places, it is not a valid password."

The hacking of my wife's email account almost certainly happened because she had used that same password somewhere else. There are lots more angles here, but let's save them for later. For now, make sure that any account that matters to you has its unique password.

You're welcome.

**Dan** · 06-08-2012 11:07 AM

I use KeePass and it is great. I have hundreds of passwords saved. To log into a site you can quickly just type ctrl + alt + a and it fills in the name and password for you.

**mae** · 06-08-2012 11:10 AM

Originally Posted by Dan

I use KeePass and it is great. I have hundreds of passwords saved. To log into a site you can quickly just type ctrl + alt + a and it fills in the name and password for you.

In the case with LastPass, it can even log you in automatically.

**Bethany** · 06-08-2012 11:19 AM

Hmmm, besides keeping my accounts safe, this would stop me from getting locked out of my accounts each and every month when I try to pay bills?

**ELazansky** · 06-08-2012 11:30 AM

Originally Posted by Dan

I use KeePass and it is great. I have hundreds of passwords saved. To log into a site you can quickly just type ctrl + alt + a and it fills in the name and password for you.

I use KeePass too. I'm not going to send my passwords to the Cloud.

But even with KeePass, I don't have a unique password for every site I go to. I have a few random passwords that I sprinkle around. I don't know if I would ever make one site/one password, although I know I should.

**mae** · 06-08-2012 12:06 PM

Here's a great (but very technical) explanation of the impressive amount of security that goes into LastPass - starts at 0:52:44:

**Brice** · 06-08-2012 02:49 PM

I use my own supersecure password "password" on every site. I also mail my key if someone needs to deliver something. It is a foolish identity thief who steals my identity and a foolish information thief who steals my information. They deserve what they get. LOL

**biomieg** · 06-09-2012 01:07 AM

KeePass users: how does it work when you want to log in from a mobile device? Looks like LastPass is the most convenient/allround tool but I don't like the idea of storing stuff in 'the Cloud' either...

**ELazansky** · 06-09-2012 02:45 AM

KeePass is local only, so you would be out of luck mobile. I don't do a lot of web browsing on a mobile device that requires "secure" info, so it doesn't bother me too much.

**biomieg** · 06-09-2012 03:46 AM

That's what I thought... I'm going to have to think about this. But I'm glad this topic came up, dealing with this is something I've been postponing for too long.

Thread: Password hacking

Thread Tools

Display

Password hacking

Posting Permissions