Why You Should Take Your Passwords Seriously

What's the strength of your passwords_header
Unfamiliar messages. Passwords that no longer work. These are just two of the many clues that cybercriminals have gotten a hold of your password and broken into your account.

With the password compromised, the first step is to regain control over the account by changing passwords and checking configuration settings to make sure nothing has changed. However, if the root problem (how the passwords were successfully stolen) is not fixed, then the accounts will just get compromised again and again. That’s why it’s important to take your passwords seriously and to make sure they are strong.

Passwords are immensely valuable, whether they are for email, e-commerce sites, or even “just” a social media platform. Criminals aren’t after your Spotify passwords because they want to see who your favorite artists are. They are banking on the high likelihood that the same password will unlock your email, retail Website, or even your work network. Considering the number of people who re-use their passwords across multiple sites, there is a good chance that someone’s Twitter password is the same as that person’s online banking account.

This is why it’s important to have a unique password for every account and service. If attackers do manage to steal one password, at least the damage is limited to just that site, instead of impacting multiple services. It’s also important to recognize how cybercriminals steal the passwords in the first place and avoid those scams from the start.

How Cybercriminals Steal Passwords
Cybercriminals employ several methods to steal passwords. They can use stealthy malware, tricky social engineering techniques, or just plain brute-force to guess the password. Whichever method they use, the goal is the same: gain access to as many user accounts as possible.

Malware:
All it takes to infect a computer with malware is one person opening a specially crafted attachment, or clicking on a booby-trapped link in a spam message. Cybercriminals send out spam messages promising special deals on luxury goods, offering exclusive details on current events, or the latest gossip on celebrities to trick people into clicking on links. Or they craft emails using basic social engineering tricks to convince users the emails are legitimate, such as pretending to apply for a job, sending delivery notification messages, or even using data mined from social media sites and pretending to be an acquaintance.

The malware likely installs a keylogger component on the computer, which captures every keystroke typed, whether it’s an email message or every single login credential for every single site the user visits. Once the keylogger is installed, the criminals can easily harvest every password ever entered. This is why it is important to keep the security software regularly updated and to scan the computer regularly for malware.

Phishing:
Phishing is a form of social engineering that is very effective. Attackers craft a message that appears to be from a legitimate brand, such as your bank, or well-known sites such as eBay and PayPal, or even a corporate site. When the user clicks on the link, they see a Website which looks like the real thing—maybe the logo on the page is the same. The user thinks it is a real site and enters their login credentials. All the information typed on the bogus site goes directly to the criminals, and the user often has no idea that the password, and now the account, has been compromised.

This is why it is important to be wary of messages in the inbox, to avoid clicking on links in email messages, and to scrutinize all sites to make sure the site is real. Checking the URL carefully is a good way to screen out bad sites, such as www.fcebook.com.

Password Cracking
Cybercriminals may just try to brute-force the password, operating on the assumption that the password is not so complicated. Many users still make the mistake of selecting simple passwords, such as ’123456′ or ‘password.’ If the password is a common word that can be found in the dictionary, or a simple sequence of numbers and letters, there are cracking tools that can figure out the actual password. This is why it is important to select unique passwords that are complex, such as having both lower case and upper case letters, symbols, and numbers. Passwords should also be long, to make it harder to crack.

Attackers will continue to employ various techniques to try to get their hands on user passwords. By employing better password hygiene, users can protect themselves from attack, and to minimize the damage even if the password does get compromised. Passwords aren’t perfect, but unless something better comes along, make sure your passwords are all unique, complex, and long.

21 thoughts on “Why You Should Take Your Passwords Seriously

  1. Excellent read and great guide that really help to secure and keep safe my account. I only just recently started to take my passwords seriously. Now I use a free password generator to come up with a crazy combination of numbers, punctuation and letters.Thanks to share this impressive information about the internet criminals.

  2. Si je ne peux rien avoir en français, je vais changer d’antivirus.
    C’est comme ça.
    Avec mes salutations.
    Louis-marc Burri

  3. A simple way to get easy to remember but difficult to crack passwords. Take two names (or parts of names) that mean something to you but might not be widely known – your parents first names (Sue and Tom) for example,add two letters from the web site (SafeBank) and insert a non-alphaumberic character. Change an alphabetic character to a number. You end up with: SuefT0m*e. Difficult to crack but easy to remember.

    • Those sound great as long as I don’t lose it along with my eyeglasses and my car keys all at the same time. The U.S. is slow to adopt credt cards with a built in security chip that spits out a different PIN for transactions. All of these new toys make perfect sense. At hole I like my password manager replicated on every machine but I could do that with a USB drive as long as I had several and assuming that they had smart features like a lock out after so many minutes idle in case I got distracted and went to hit the latrine leaving the device plugged in. I guess there are alternatives too. I used to leave a bright red SECRET coversheet between my desk and the office door whenever the safe was open to remind me not to step out of the office and make a potentially career ending mistake. Folks found that odd, but it worked 100% in an office with only a single exit.

  4. The article says “make sure your passwords are all unique, complex, and long” and have “a unique password for every account and service”. We’re also commonly advised not to write them down or share them. Then all we have to do is remember them, which may not seem too complex to someone of 25. However as you get older and accumulate more passwords and PINs (and e-mail addresses and phone numbers) it is difficult to do. I have forgotten ATM PINs and entered incorrect numbers and lost access to my bank account. I have found myself standing in front of a burglar alarm having entered the wrong number with 25 seconds to remember … There are pieces of software that can store these things, but then what happens if you forget the password for that, or the database gets corrupted, or you carry it around on a memory stick and it gets stolen. How can people with busy lives even find time to manage this stuff? If passwords are really the answer, we’re asking the wrong question.

    • Yes, I know what you mean. I have well over 600 passwords today and there is no way I could manage them without help. See my article http://fawke.eu/general/your-password and note in there that you really then only need to remember just one, really good one. I practice what I preach and as a result, even if I lost the memory stick with the portable version of the password manager on it, I would still be 99.9999999999% safe and as I’m not NSA, that’s good enough for me!

    • I completely agree. I only use about four passwords. I know it’s not great but there are so many site which (needlessly) require passwords it is really difficult to keep track, especially if they are unique, complex and long.

    • I use Password Safe a free app that creates one (or more) encrypted data files with all the password associations that you create. I have about 250 password / login combinations so far. I also use it to store credit card numbers and similar data I need from time to time.

      http://passwordsafe.sourceforge.net/downloads.shtml

      It helps organize. You can make backups on a scheduled basis, etc. Keep a standalone version on a thumb drive in some place fireproof, preferably off site. Well thought out. My major issue was how to use up to six computers and how to have changes on one promulgate to the other five. I took a deep breath and decided to keep the .dat file on DropBox. Any change I make on one PC gets forwarded to all others. Both use well respected encryption standards so I sleep well at night.

      If you do not have multiple computers you’ll not undergo that leap of faith.

      Password Safe has data fields in each record that will take you to the desired URL. So if I want to do billpay I open PWS first, select the listing, click the GO button and it takes me to my credit union site. It offers autofill options, and it has a pass word generator that lets you specify how long and how complex the p/w it generates are. That includes things like omitting characters that are easily confused in case you ever have to manually type in a p/w and even one option to make p/w PRONOUNCEABLE. How cool is that? I should try that someday.

      Did I mention that it is free? There is a little bit of a learning curve but WELL WORTH the added security it provides.

    • Pick a master password for your password managment software and write up a hint that only you will figure out. Keep the hint anywhere you like. Nobody will understand it unless they know everything about you….in which case you have enough to worry about already. And don’t be afraid to lie a bit. Example:

      Your hint: 1st Grilfriend+color of your first car+name of your favorite cat.

      Password = Hot4RitaPrimer&iH8cats

  5. I use strong unique passwords for significant sites like my on-line bank account, e-mail and business accounts. However, for years I have used the same password for junk accounts that I am required to create for trivial tasks like reading an article in an out-of-town newspaper or posting comments to a blog that I’ll probably visit only once. I have used that same password so often and for so long that it’s probably well known by hackers, but I never use it an accounts that require personal information, so why should I care if someone hacks my access to the Podunk Herald account that I was forced to create just to satisfy my curiosity and read a couple of articles about the local mayor getting caught smoking crack at the city judge’s new years party? I won’t waste a good password for rubbish like that. I don’t know why a lot of sites even require an account and log-in anyway, other than an inflated opinion of their own importance. I never use my real name or my ISP e-mail address for those bogus log-ins.

  6. One gigantic pitfall is to use a low strength password on one’s personal email account. I used to use hi-strength p/w on financial and high value targest and a fairly simple p/w on email.

    Then one day I realized that if someone hacked my email they could 1) change my email account’s p/w thereby locking me out and 2) try logins to the hi-value target sites and simply click the “I FORGOT MY PASSWORD” button. Sooner or later they would get a p/w sent to the hacked email and I would be toast, all because I took the attitude that my email system was a low-value traget.

  7. The big problem is keeping track of dozens of passwords, especially when some of them must be changed periodically. I recommend keeping a record of them on a removable “thumb” drive, NOT on your hard drive or cloud account, and only plugging that drive in when you need to look up or change a password, and immediately removing the drive as soon as you are no longer referring to it. This physically removes all of your password records from your computer, where they cannot be accessed.

    • Try using a password vault. They’re small password databases protected by encryption. You remember one password to get into the vault and the vault stores all your other passwords. Most will generate passwords based on your specs (length, special characters, caps, etc.) There are a bunch out there and, because of what you’re putting in it, I highly suggest you use one from a reputable company. I’m not trying to advertise but Keepass works for me. There’s even a mobile app version you can run from a thumb drive and a version for your phone. Hope this helps.

  8. I have a cousin, haven’t seen in many a year, but who when emailing ppl, has her name and phone number and home address at the bottom of everything she sends. When I told her about the security risk she was taking, her attitude was, well, I’ve been doing it for years and never had a problem. Granted she’s a fool but, I have heard similar from those who really are smarter than she.
    Go figure.

  9. To all of you asking how to remember all of those unique, strong passwords: PASSWORD MANAGER..
    Or you could do as I did-still do to some extent-and create a file on a not-never connected is best-connected to the internet computer with a list of the most important passwords then save and transfer it to a memory card/thumb drive/etc. and copy-paste your passwords into the field when prompted…Oh yeah-DON’T carry that file with you or leave it lying about when you have visitors…

    IF you are using one of ZA’s paid for products (I use Extreme Security) AND keep it up to date, you should have next to zero chance of falling victim to brute force attacks. IF, however you browse your spam folder contents and randomly click on ANY links, you are defeating the purpose of having security software at all..I have been using ZA for almost seven years now, on multiple computers, and have not been compromised in that time

  10. One exception to the rule.
    My wife suddenly passed away 4 years ago.
    Thank god she had stored passwords on her gmail
    I was able to send out email to her contacts letting them know the funeral details.
    Was able to get into her 401K and other accounts to notify them of her death.
    On the flip side, a hateful Ex could do the same.
    So please share your passwords / master password with your spouse.
    Could even be added to your will.

Leave a Reply

Your email address will not be published. Required fields are marked *


two + 5 =

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>