FORGET THE DICTIONARY If your password can be
found in a dictionary, you might as well not have one. “The worst passwords are
dictionary words or a small number of insertions or changes to words that are
in the dictionary,” said Mr. Kocher. Hackers will often test passwords from a
dictionary or aggregated from breaches. If your password is not in that set,
hackers will typically move on.
NEVER USE THE SAME PASSWORD
TWICE
People tend to use the same password across multiple sites, a fact hackers
regularly exploit. While cracking into someone’s professional profile on
LinkedIn might not have dire consequences, hackers will use that password to
crack into, say, someone’s e-mail, bank, or brokerage account where more
valuable financial and personal data is stored.
COME UP WITH A PASSPHRASE The longer your password,
the longer it will take to crack. A password should ideally be 14 characters or
more in length if you want to make it uncrackable by an attacker in less than
24 hours. Because longer passwords tend to be harder to remember, consider a
passphrase, such as a favorite movie quote, song lyric, or poem, and string
together only the first one or two letters of each word in the sentence.
OR JUST JAM ON YOUR KEYBOARD For sensitive accounts, Mr.
Grossman says that instead of a passphrase, he will randomly jam on his
keyboard, intermittently hitting the Shift and Alt keys, and copy the result
into a text file which he stores on an encrypted, password-protected USB drive.
“That way, if someone puts a gun to my head and demands to know my password, I
can honestly say I don’t know it.”
STORE YOUR PASSWORDS
SECURELY Do
not store your passwords in your in-box or on your desktop. If malware infects
your computer, you’re toast. Mr. Grossman stores his password file on an
encrypted USB drive for which he has a long, complex password that he has
memorized. He copies and pastes those passwords into accounts so that, in the
event an attacker installs keystroke logging software on his computer, they
cannot record the keystrokes to his password. Mr. Kocher takes a more
old-fashioned approach: He keeps password hints, not the actual passwords, on a
scrap of paper in his wallet. “I try to keep my most sensitive information off
the Internet completely,” Mr. Kocher said.
A PASSWORD MANAGER? MAYBE Password-protection
software lets you store all your usernames and passwords in one place. Some
programs will even create strong passwords for you and automatically log you in
to sites as long as you provide one master password. LastPass, SplashData
and AgileBits
offer password management software for Windows, Macs and mobile devices. But
consider yourself warned: Mr. Kocher said he did not use the software because
even with encryption, it still lived on the computer itself. “If someone steals
my computer, I’ve lost my passwords.” Mr. Grossman said he did not trust the
software because he didn’t write it. Indeed, at a security conference in
Amsterdam earlier this year, hackers demonstrated how easily the cryptography
used by many popular mobile password managers could be cracked.
IGNORE SECURITY QUESTIONS There is a limited set of
answers to questions like “What is your favorite color?” and most answers to
questions like “What middle school did you attend?” can be found on the Internet.
Hackers use that information to reset your password and take control of your
account. Earlier this year, a hacker claimed he was able to crack into Mitt Romney’s
Hotmail and Dropbox accounts using the name of his favorite pet. A better
approach would be to enter a password hint that has nothing to do with the
question itself. For example, if the security question asks for the name of the
hospital in which you were born, your answer might be: “Your favorite song
lyric.”
USE DIFFERENT BROWSERS Mr. Grossman makes a point
of using different Web browsers for different activities. “Pick one browser for
‘promiscuous’ browsing: online forums, news sites, blogs — anything you don’t
consider important,” he said. “When you’re online banking or checking e-mail,
fire up a secondary Web browser, then shut it down.” That way, if your browser
catches an infection when you accidentally stumble on an X-rated site, your
bank account is not necessarily compromised. As for which browser to use for
which activities, a study last year by Accuvant Labs of Web browsers —
including Mozilla Firefox, Google Chrome and Microsoft Internet Explorer —
found that Chrome was the least susceptible to attacks.
SHARE CAUTIOUSLY “You are your e-mail
address and your password,” Mr. Kocher emphasized. Whenever possible, he will
not register for online accounts using his real e-mail address. Instead he will
use “throwaway” e-mail addresses, like those offered by 10minutemail.com.
Users register and confirm an online account, which self-destructs 10 minutes
later. Mr. Grossman said he often warned people to treat anything they typed or
shared online as public record.
“At some point, you will get hacked — it’s only a matter of time,”
warned Mr. Grossman. “If that’s unacceptable to you, don’t put it online.”
No comments:
Post a Comment