Password Vulnerability

The past couple of days three instances of password loss and hacks appeared in the news. First there was the news about LinkedIn having lost 6,5 million passwords, a US dating site lost passwords as well and yesterday the news came that the social music site Last.fm informed their users they had lost passwords. This post is about how to prevent data loss and make sure you have strong and different passwords.

How does affect password loss you? If you don’t have online accounts, naturally not. However nowadays most likely everyone has some accounts somewhere. Even if it is only your bank. But think about your internet account, your online e-mail, memberships of forums etc. And do you remember all those account details by heart? I don’t! At least, not anymore. Originally, when I joined the web in 1994, I had several levels of security.

  • Lowest level: random username + simple password + hotmail-address. I never changed that password and I used it for one time accounts. For websites that didn’t let me continue without leaving some “personal” details.
  • Medium: easy username + complex password + yahoo-address. That password is still the same, and I used this account to register for more serious stuff.
  • Normal: part of my real name + complex password + gmail-address. These details are used for serious stuff where I don’t have to leave my real name. This password is changed frequently.
  • Advanced: Real name + complex password + mail on domain. This is what I used for all the things where I needed my personal details.
  • Super: root accounts for my servers. A complex password used for my servers and websites.

This setup with different accounts and passwords worked for quite some years. I was careful where I left my details and hacks weren’t that important because the impact of account loss wasn’t that big. That’s different nowadays.

Account loss and identity theft has a much larger impact. Compared to the earlier days account theft actually can loose you money. The amount of time to repair your online status after a hack also increased. So loose your account after a hack, and it will take a lot of time to reset passwords and maybe repair your social accounts. Also, and that is maybe more important, do you know where you left your details?

My scheme which I used earlier is horrible in the modern world. If you browse a bit, you will encounter a lot of websites where you have to register. Even my website, if you want to leave a comment, you will have to register. So another account to create. And what account details are you going to use? The same you use for your Facebook, Twitter, Tumblr-account? Or maybe your bank account? And what if my site gets hacked? Which details did the hackers acquire? Your username + password combination? And how are you going to know these details are lost and compromised?

That is why I started using a password manager. This piece of software helps me create a new, super complex password for every account I need to create. After I created an account I can let the software generate a password which it saves in an encrypted database. To unlock that database I need one Master Password. Nowadays my scheme looks like this:

  • Complex password (I use 23 characters with letters and numbers) for my Password Manager.
  • Complex password for my servers + ssh-key authentication
  • Complex password Two Step authentication for Google and my ISP.

So I have three passwords to remember, the rest is stored in my password manager and I have no idea what the password is of this website for instance. Read more about the password managers (payed and free) by following the links below.

Read more:

OnePassword
LastPass
KeePass

Google Two Step verification
Ars Technica about the LinkedIn hack

Leave a Reply