In “Hackers”, The Plague told his employer that the four most often used passwords are love, sex, secret and god. Not much has changed. Most peolpe still seem to use simple words as passwords, or at the best, combination of their initials and their birth or wedding dates. The “power users” tend to go for 133t sp3@k – which is probably even worst because there are 133t sp3@k dictionaries that can be used for a brute force attack.
Just a few days ago, the media reported that LinkedIn has been hacked and over 6 millions passwords were stolen. Guess what the most common ones were?? Jackpot – god, ilove (I guess times are changing …), sex, 1234 …
This was followed by reports of eHarmony passwords being stolen, then same was reported for Last.fm. All together there might be more than 10 million stolen passwords.
To make things even worst, a lot of people use the same username/password combination for all of their online accounts. On top of that, a lot of websites now allow you to link your accounts so you can, for example, log in your Yahoo account by providing your Google credentials. So the one compromised password might allow the attacker to access your email addresses, facebook account, reset your online banking passwords … you get the idea.
If your have an account with LinkedIn, Last.fm or eHarmony you have to assume your password has been compromised. I wouldn’t trust the companies to admit the real number of compromised accounts, and even if they do, I don’t thnik I would trust them to be competent to find all passwords that have been stolen.
Think good, those accounts get deactivated, but are never deleted – so the account you created 5 years ago on a whimp is probably still there.
So what do you do about it? Obviously no matter what we’ve seen in the movies, nobody in their right mind will use a different nuclear launch code type of password for each account the have.
I used to save my passwords in my browser’s password manager – you have a single password to remember so, in theory, you can use longer, more complex passwords. The thing is I never did. It’s the nuclear launch code problem – the passwords saved in the browser are not really portable and it’s impossible to remember them. And since the amount of devices that each of us is using is growing in geometric progression, it’s obviously not a solution.
Improving your security does not need to be complicated. You only need a few pieces of free open source software and a few hours to get your accounts secured.
I’m now using a password manager called KeePass. I installed in on all of my machines, imported the passwords from my browser into KeePass and saved them as an encrypted file on my DropBox folder (the basic 2GB account is free) so I can access them from anywhere. Now I can mount the password file and with a couple of clicks, my passwords are filed in the appopriate fields.
I also installed the KeePass and DropBox apps on my Android phone, so if I can get to my passwords on the go as well. I gradually replaced all of my weak passwords with significantly stronger one and I only have to remember the master password. It’s a win – win situation.