Stories like this one where one billion passwords were stolen illustrate why most passwords are a poor way to secure information. Passwords are hackable through any number of means. From simple cryptography decryption to guesses with common words against hashes. Storage of the password is often very insecure. For example you have web hosting as cheap as $1.99 a year. You can be assured that security is not at the top of the list for that hosting company.
To see what I'm talking about just use a simple MD5 Hash Generator to create a hash for "goldmine". The hash for goldmine is 73f74ce5596373a5c4b5cb43486015ef. So how do hackers get your password from this? Easy, a database with dictionary words. You create a database with 2 columns the password in plaintext "goldmine" and that hash "73f74ce5596373a5c4b5cb43486015ef". Then you simply compare the database you created with all the hashes against the stolen password file. It's that simple. Adding numbers before or after the word don't help much as they are usually 4 digits or less. That being said you only added a little less than 20,000 more variables which are very easy to check for.
So my password is hacked now what? There is some hope. First if possible for accounts like Gmail use the 2 factor authentication. This will send you a text message with a 6 digit code that makes it a lot harder to hack your password. The odds of a hacker stealing your phone and your password is very low.
Make stronger passwords to protect yourself. Yes, everyone says this but how practical is it to enter a random string of 12 characters and remember it. This is where I have a very simple trick that will allow you to enter better passwords. I call it the per-site-password method. This means that even if my password is hacked its only hacked for that one site.
To make an easy to remember but harder to hack password simply add part of the website domain to your password. Then use something easy to remember for the rest of the password. Let me show you how we can make that "sean2014" password considerably more secure with almost no work at all.
So lets say we're going to create a password for facebook.com. Look at the domain name and use that as part of the password. You can use "Facebook" you can use "fb" or you can use "f.com" or any number of easy to remember ways to add the domain to the password. Just make sure whatever method you use, its consistent for all websites. That way you know it should be in the format you remember.
Now take that domain information and inject it somewhere, although consistently in your password.
fb.com-sean-2014
sean-2014-fb.com
sean-fb.com-2014
There are 3 versions that add considerable amount of complexity in decrypting or running hash databases up against it. This gives you something unique per site. It's unlikely an attacker is going to know how that works and track you down on another site. You can even be more creative and add in multiple words before and afterwords. For example .nets use "steve", .com's use "sean" and .orgs use "charlie". So long as you know how the password is created then your password is going to be considerably more secure without having to remember complex passwords.
I also suggest you start changing your passwords. The russian attack at the top I cited is using passwords and logins to send spam. I'm sure your family and friends will appreciate you changing your passwords instead of your facebook account sending them a message about ED medicine.
No comments:
Post a Comment