You think I am exaggerating? Maybe I am for some people. But for the majority I am clearly not. This includes even big players on the Internet, who definitely should know better! And that really upsets me, because those careless people obviously have access (i.e. passwords) to many other peoples’ data — including customers.
Read here, what recently happened to many Twitter employees, including those dealing with confidential documents, which now have been published on Techcrunch.
The English translation of the original source can be found here.
These are the two lessons to learn:
- Do not use third-party services to store confidential information!
- Use passwords and security questions, which cannot be guessed easily!
A password must:
- not be shorter than 8 characters
- not contain only letters (better mix with numbers and special characters!)
- not contain natural language (i.e. words which can be found in dictionaries)
- not contain names, birth or anniversary dates, parts of (previous) home addresses, your favourite colour or hobby
- not be re-used on a whole bunch of different web sites
- not be stored in your email inbox (if a bloody stupid provider sends you non-temporary cleartext passwords, delete them instantly from any online media or computer, and change the password, unless you want the next worm or trojan to forward them to criminal parties)
Don’t think password hacking happens to the big players only. Those of you who have been running their own (web) servers for a while, shall have a look into the auth.log and access.log files (for a start). Hopefully that opens your eyes: Automated password cracking and site hacking attempts are no exception. They happen regularly to all of us. And they happen to all third-party services you use, but there you have no influence whatsoever, hence cannot do anything except making your passwords and security questions as difficult to guess as possible!
Please help making people aware of the necessity of strong passwords. Just share this post via Twitter, facebook, or whatever social network you are member of. Thank you!
I think that obscure passwords are not good, because even if users pick such password, then usually one of these things happens:
1. They forget it, restore it and change it to something simple
2. They write it down somewhere
So I think that a better approach is to use whole sentences as passwords. Even simple sentences like “My wife’s name is ..” are immune to dictionary attacks, bruteforce attacks and rainbow tables.
Yes, to a certain extent that is true. However, many sites limit your password lengths (aka “choose a password between 6 and 12 characters”), which obsoletes your approach.
It’s certainly arguable, but I think it’s still better to write down a password on an offline media (which would require physical theft) than to choose a simple password, as simple passwords could be hacked by literally anyone out there, whereas your offline notes can only be accessed by a rather tiny group of people (if at all).
But we do agree on the fact that the brain is the best place to store a password
Yeah, I love those sites.. Especially my hosting provider who in addition disallows some “special” characters in passwords.
And I agree that brain is the best place, although I could tell you a story. I created a new account at the new bank, because they had a super high interest rate. I was assigned a temporary customer id and password, which I had to (both) change immediately after logging in to my internet banking account. So I picked a crazy paranoid password and id and saved it to my brain. Week after, my debit card arrived via snail mail with instructions to activate it in IB.
But I forgot the password. So I called the hotline, where they asked for my customer id, which I forgot too
Sounds familiar
And again, Twitter utterly fails when it comes to security basics:
http://www.techcrunch.com/2009/07/15/another-security-tip-for-twitter-dont-use-password-as-your-password/