The recent password compromises of Hotmail, GMail and (from other reports I've read) Yahoo! Mail make this a good time to revisit the issue of passwords.
The webmail services in these cases are saying that phishing is the likely cause of the breach. Security firm ScanSafe thinks that there are other possibilities, but I think it's reasonable to believe phishing is the culprit here, and certainly phishing is a major problem, as evidenced by yesterday's arrests in the US and Egypt.
Passwords are collected by the bad guys in many ways, such as by malware that scans the system and monitors Internet usage for usernames and passwords. Dictionary attacks are also used to guess passwords from a list of common ones. But in this case only webmail credentials were found. Webmail systems are tough to attack with dictionary attacks because they won't let you attempt login after login trying different credentials.
If your password is collected by phishing or through malware finding it on your computer or snooping it as you type it on a form, a strong password does you no good. Whether the password is strong or weak you have to make an effort to protect it on your system and not to give it away to the wrong people. Apart from some security savvy for recognizing threats, for most people the best defense is to use a good security suite and to keep it updated. These will make it much harder for malware to get on your system or to run unimpeded if it does. Most of them also detect and block phishing attempts.
But you still want to have strong passwords. There are places where weak passwords can be compromised, such as the login for your PC. Now very few people, including the experts, do all the things experts tell them to do in this regard. After all, it's inconvenient.
Acunetix analyzed the leaked list of Hotmail passwords and found that lots of the users use weak passwords. The most popular password in the list (64 of them) was '123456' which, after 'password', is the all-time classic weak password. Interestingly there were 11 instances of 'alejandra' and lots of Spanish words and names, perhaps saying something about the phishing campaign used to obtain the accounts.
How do you choose a strong password? Here are some guidelines:
- The longer the better: At least 8 characters.
- Mix upper and lower case, punctuation and numerals.
- One good way to implement both of the first two rules is with a passphrase, i.e. a sentence instead of a word: "I hate passw0rds, they suck" or "My father was born in 1929." I use these in a few places but, alas, not all sites allow you that long a password or to embed spaces.
- Avoid passwords that are words in a dictionary, especially common words.
- Avoid reusing passwords, especially those for critical resources like your e-mail, on other sites. Doing this exposes you to a wider compromise than necessary.
Most of us don't have the memory bandwidth to deal with a large number of obscure passwords, so a good next step is to use a password management program, such as Roboform or the open source Password Safe. Some suites, like Norton Internet Security 2010, include password management in them. These programs let you auto-generate strong passwords and it remembers them for you; you just remember a master password.
For more advice see our story Stop Forgetting Your Passwords with reviews of Roboform and other products to help.
