In recent weeks, nearly five million Gmail addresses and passwords were found on a Russian security site. In a separate incident, a targeted attack on celebrities’ user names, passwords and security questions resulted in the leak of photos. Such incidents remind us that we all need to take additional steps to protect our online security and privacy. In a guest blog, Alex Everett, UNC-Chapel Hill ITS Information Security Engineer, offers password guidance that takes into account the reality of our busy lives.
ITS guest blog: Alex Everett
We all type passwords or use systems that require passwords on an almost daily basis. We create these secrets and sometimes memorize them to access our email, our computer, our bank account and online retail stores. Ideally, we would use a lengthy random password for each account, as this provides the greatest protection for all accounts from attacks such as: malware, hacking of retail stores’ databases, phishing and password-reset attacks.
Let’s say you have created lengthy, random passwords for each of your accounts, and your eBay account, for example, is divulged. That leak likely will not affect your Facebook account or any other account as the passwords are quite different.
Research suggests that most people have about eight accounts that they manage using passwords, and that memorizing many lengthy random passwords is not practical [1]. Researchers also find that people often re-use existing passwords or use weak passwords in an attempt to cope with the number of different accounts they manage.
Instead of doing this ad-hoc, researchers at Microsoft recommend separating accounts into two or more groups: high-importance accounts such as your bank account and low-importance accounts such as an online clothing store account. Your most important accounts should have stronger passwords, and you should not re-use those passwords for low-importance accounts. This way, if that clothing store site is hacked, your bank password will be safe.
If you have more than a few accounts or groups, you may need a password manager—a piece of software that saves your account passwords in an encrypted form [2].
Another important advancement in protecting accounts is called two-factor authentication: a password often being the first factor, and a text-message/app displaying a number often being the second factor. Many sites now offer this extra level of security, which makes it very difficult for thieves to use your account, even if they know the password. Three examples of websites that provide this technology are: SafePass from Bank of America, 2-Step Verification from Google, and Login Approvals from Facebook [3,4,5].
References
[1] http://research.microsoft.com/pubs/217510/passwordPortfolios.pdf [2] http://online.wsj.com/news/articles/SB10001424052702303647204579545801399272852 [3] https://www.bankofamerica.com/privacy/faq/safepass-faq.go [4] https://www.google.com/landing/2step/ [5] https://www.facebook.com/help/148233965247823
Protect your personal information:
- Secure your accounts: Ask for protection beyond passwords. Many account providers now offer additional ways for you verify who you are before you conduct business on that site.
- Make passwords long and strong: Combine capital and lowercase letters with numbers and symbols to create a more secure password.
- Create separate passwords for every account to help thwart cybercriminals.
- Write it down and keep it safe: Everyone can forget a password. Keep a list that’s stored in a safe, secure place away from your computer.