yARN: I’ll bet you only have one password and use it everywhere
- 13 June, 2011 17:25
- Comments 1
The endless stream of news concerning hacks into all kinds of organisations (Sony merely being the poster-boy of the moment) continues to uncover some very disturbing facts in relation to password re-use.
I read in the past few days of a researcher (Troy Hunt) who had access to some of the exposed data from a recent Sony hack which included plain text passwords and email addresses. He then compared the data with the earlier hack on Gawker. What was interesting was the number of common accounts (based on an identical email address in both data sets) with identical passwords. How many people do you think were in this category?
Sixty-seven per cent!
THAT is one of the major reasons everyone is telling affected users to change their passwords. On every site they visit, not just the hacked ones.
In fac,t following on from this, and I don’t think anyone sensible has been brave enough to try, I’d like to bet that a good percentage of those email addresses could be accessed with the passwords included in the hacked data.
Actually the guys at LulzSec did just that – they identified a specific user in the InfraGard hack and accessed his email account using only the information gleaned from the hack.
So, what should you do? Clearly you can’t have a different password for every site you visit that demands one – you’d forget them all (or keep a huge list beside your computer!). Many experts suggest maintaining a hard-to-guess core password (something like Xax!2Jj5 – but, please, make up your own) and wrapping site-specific information around it. So maybe if you were logging into the protected area of the Sony Pictures website, you might make the password icXax!2Jj5on where you’ve extracted the second and third characters of the company name and wrapped them around the core password.
But hey, use your own rules.
Now there are often good reasons to use a throw-away password for sites that pointlessly ask for an account to be created, but as soon as such sites have your email address, or any other personal information, you must turn your personal security switch on.
Of course, the biggest no-no is to reuse critical passwords (such as your banking access) anywhere else at all; those passwords must be unique. Make these passwords tough to remember; in fact write them down – I know if no spyware that can actually scan the pieces of paper scattered around your desk.
It’s often said that passwords themselves are the biggest risk to personal security, but unfortunately, the price is right, so we’re probably stuck with them for a long time to come.
- Bookmark this page
- Share this article
- Got more on this story? Email ARN
- Follow ARN on twitter
- New Gateway Anti-Malware Technology Sets the Bar for Web Threat Protection (Sponsored by McAfee)
- Cloud and Co-Location Solutions
- Virtualization and Consolidation Solutions
- Modernizing Security for the Small and Mid-Sized Business – Recommendations for 2013 (Sponsored by McAfee)
- McAfee Whitepaper: Building the Business Case for Privacy
-
Uber Taxi launches in Sydney
-
Armidale hosts fastest wireless NBN in Australia: Fusion Broadband
-
Armidale hosts fastest wireless NBN in Australia: Fusion Broadband
-
Titan falls: Today's top supercomputer is owned by China, powered by Intel
-
Armidale hosts fastest wireless NBN in Australia: Fusion Broadband
Get exclusive access to ARN's news, research and invitation only events. 
Comments
Baysnet
1
The Password isn't the problem which is a lack of basic IT Security Awareness training for staff who don't realise the issue with password reuse and aren't given any strategies to avoid reusing passwords some of which may provide hackers with priveleged access to critical systems