|The other day, a popular site, Gawker Media, was brutally compromised resulting in the exposure of their entire user database of 1.3 million users. Basically each user ID and its associated encrypted password were compiled into a huge file that is accessible to the entire Internet. On the surface, who really cares if a basic site like Gawker was hacked, but digging a little deeper you’ll see that there is a cascading ramification that could potentially be dangerous to many of Gawker’s users – they probably use the same usernames and passwords for a lot of sites.
Yesterday, I received what appeared to be a four-page email from a friend of mine via LinkedIn. The email was rather grotesque and went on and on about her love for pedophiles. It was pretty obvious that someone logged into her account and emailed that message to all of her connections on LinkedIn. When asked if she thought her account was compromised from Gawker, she was not sure however the timing was rather suspect.
Today, I woke up to an email from LinkedIn stating that for security purposes my account has been locked until I change my password. They’re proactively locking accounts that appeared on the Gawker list; unfortunately other sites are not doing the same.
Aside from this specific event, how can the average person do a better job securing their passwords online? How can they reduce the risk of a fun site like Gawker from causing social or financial calamity? I’ve assembled some of the tricks I use, which may help the average Internet user have a little less exposure to something like a Gawker compromise:
Create Four Layers of Passwords:
|Some sites are more important than others, so rather than having a single password used on a lot of sits, create a “junk” or throwaway password that you use on sites that really have no bearing on your personal finances or privacy. For example, Gawker requires a login to comment on their posts, chances are you have accounts on a number of sites similar to Gawker, so use your junk password for those types of sites.|
For low security sites such as Gawker, you may also want to consider using OpenID or Facebook Connect rather than creating an account with the site itself. You’ll see those options presented when you’re about to interface with the site. Using a single ID such as OpenID does put all of your eggs in one basket, but it’s easy to change the password and update it.
Social media sites should also have their own password set, thus a Gawker hack is only isolated to junk sites and not LinkedIn or Facebook. Shopping sites have a lot more importance because they may have personal information stored like your credit card, shipping addresses, etc. For those you should make a different password. Last, you should make a complex password that nobody knows, which you only use for online banking.
Use Phrases and Acronyms:
When creating a password, try to think of a phrase that is easy to remember, and turn that phrase into an acronym or something fun to type and easy to remember. For example, for years I used the password “cats&d0gs!” (cats and dogs). It’s easy to remember and you don’t have to write it down. Other phrases such as, “Ilrits2sh!” or “I love running in the summer to stay happy!” makes for an easy password to remember. Find phrases and word replacements that can assist in remembering a password and help create unique passwords.
Replace Characters and Use Capitals:
Replace common characters with replacement characters, the letter ‘o’ can be represented as the number ‘0’, or the letter ‘e’ can be the number ‘3’. You can swap characters such as I for L, or even toss in the occasional upper-ascii character or symbols such as an, ‘@’ or a, ‘#’. I cannot stress the importance of using symbols in your passwords, it greatly complicates the password and makes cracking them a bit more difficult.
Use a Password Schema:
For example, you may use the password Il2sM0n3Y (I love to spend money) on your VISA and American Express logins. However, you could reduce the impact of a compromised password by adding a character that’s common only to that site, for example, on American Express you vary the password from Il2sM0n3Y to AIl2sM0n3Y, (A for American Express), and do the same for the VISA account (VIl2sM0n3Y). It’s essentially the same password, but it’s different enough to prevent someone with a list of passwords from walking into each and every one of your high profile user accounts.
I hope this helps out a bit. Keep safe out there folks!