NEW YORK – Security experts say passwords for more than 2 million Facebook, Google and other accounts have been compromised and circulated online, just the latest example of breaches involving leading Internet companies.
ONE THING LEADS TO ANOTHER
When a malicious hacker gets a password to one account, it’s often a stepping stone to a more serious breach, especially because many people use the same passwords on multiple accounts. So if someone breaks into your Facebook account, that person might try the same password on your banking account.
It’s particularly bad if the compromised password is for an email account. That’s because when you click on a link on a site saying you’ve forgotten your password, the service will typically send a reset message by email. People who are able to break into your email account, therefore, can use it to create their own passwords for all sorts of accounts. You’ll be locked out as they shop and spend, courtesy of you.
If the compromised password is one you use for work, someone can use it to break in to your employer’s network, where there are files with trade secrets or customers’ credit card numbers.
Many breaches occur because passwords are too easy to guess. There’s no
evidence that guessing was how these 2 million accounts got compromised, but it’s still a good reminder to strengthen your passwords. Researchers at security company Trustwave analyzed the passwords compromised and found that only 5 percent were excellent and 17 percent were good. The rest were moderate or worse.
What makes a password strong?
• Make them long. The minimum should be eight characters, but even longer is better.
• Use combinations of letters and numbers, upper and lower case and symbols such as the exclamation mark. Try to vary it as much as you can. “My!PaSsWoRd-32” is far better than “mypassword32.”
• Avoid words that are in dictionaries, as there are programs that can crack passwords by going through databases of known words. One trick is to think of a sentence and use just the first letter of each word – as in “tqbfjotld” for “the quick brown fox jumps over the lazy dog.”
• Avoid easy-to-guess words, even if they aren’t in the dictionary. Avoid your name, company name or hometown, for instance. Avoid pets and relatives’ names, too. Likewise, avoid things that can be looked up, such as your birthday or ZIP code.
• One other thing to
consider: Many sites let you reset your password by answering a security question, but these answers – such as your pet or mother’s maiden name — are possible to look up.
ONE FINAL THOUGHT
Change your passwords regularly. It’s possible your account information is already circulating. If you have a regular schedule for changing passwords for major accounts, you reduce the amount of time that someone can do harm with that information.