The endless stream of news concerning hacks into all kinds of organisations (Sony merely being the poster-boy of the moment) continues to uncover some very disturbing facts in relation to password re-use.
I read in the past few days of a researcher (Troy Hunt) who had access to some of the exposed data from a recent Sony hack which included plain text passwords and email addresses. He then compared the data with the earlier hack on Gawker. What was interesting was the number of common accounts (based on an identical email address in both data sets) with identical passwords. How many people do you think were in this category?
Sixty-seven per cent!
THAT is one of the major reasons everyone is telling affected users to change their passwords. On every site they visit, not just the hacked ones.
In fac,t following on from this, and I don’t think anyone sensible has been brave enough to try, I’d like to bet that a good percentage of those email addresses could be accessed with the passwords included in the hacked data.
Actually the guys at LulzSec did just that – they identified a specific user in the InfraGard hack and accessed his email account using only the information gleaned from the hack.
So, what should you do? Clearly you can’t have a different password for every site you visit that demands one – you’d forget them all (or keep a huge list beside your computer!). Many experts suggest maintaining a hard-to-guess core password (something like Xax!2Jj5 – but, please, make up your own) and wrapping site-specific information around it. So maybe if you were logging into the protected area of the Sony Pictures website, you might make the password icXax!2Jj5on where you’ve extracted the second and third characters of the company name and wrapped them around the core password.
But hey, use your own rules.
Now there are often good reasons to use a throw-away password for sites that pointlessly ask for an account to be created, but as soon as such sites have your email address, or any other personal information, you must turn your personal security switch on.
Of course, the biggest no-no is to reuse critical passwords (such as your banking access) anywhere else at all; those passwords must be unique. Make these passwords tough to remember; in fact write them down – I know if no spyware that can actually scan the pieces of paper scattered around your desk.
It’s often said that passwords themselves are the biggest risk to personal security, but unfortunately, the price is right, so we’re probably stuck with them for a long time to come.