The Stack Archive

Why password hygiene must become part of your routine

Wed 8 Jun 2016

Password 123456

jpetersonStop cybercriminals in their tracks with an ugly password, says John Peterson, Vice President of Enterprise Products at cybersecurity company Comodo… 

In a world where it feels like we’re online more than we’re offline, and where virtually everything online now requires a password, it’s no wonder that many of us, when we can, use the same password for numerous sites. Frankly, it’s much less taxing to our overburdened memories to use the same password for anything and everything from our online banking accounts to music streaming and credit card accounts, to our social media accounts.

Sure, we’re told to change our passwords often and to make them ‘robust’ and ‘secure,’ but how many of us really do that? Akin to drinking eight glasses of water a day and eating five servings of vegetables, we know we should be changing our passwords more often – but it’s such a hassle remembering them all, right?

If that sounds like you, then the recent news of an estimated 272.3 million email usernames and passwords from major providers like mail.ru, Yahoo, Gmail and more being stolen should be very distressing news indeed. Thefts like these – and there seems to be a new breach, and hundreds of thousands of user IDs and passwords stolen, every week (LinkedIn, MySpace and Tumblr most recently) – should send a strong shiver down your spine.

You’ve heard it before, but if nothing else, this should provide a strong incentive to change those passwords frequently; and when you do change them, to pay attention to the admonitions by site managers and the online community to make them ‘strong’ and, if possible, ‘unique.’

Once hackers find a lucrative opening somewhere, or a new data source, you better believe they’ll make the most of it

Most of us know that, to be harder to ‘crack,’ a password needs to contain more than just a few letters or street numbers, dogs’ names, and kids’ birthday digits. Gone are the days of “Password123” as the office’s default password. Now it’s all about special characters and a mix of upper-case and lower-case letters, in addition to numbers and at least a few symbols such as #@^&*.

But just how important is all of this? A stolen password can be as obtuse as you want, but if it’s stolen, it doesn’t matter how hard to guess it is now, does it? Which begs the question: do we really need to worry so much about our run of the mill passwords?

Pass on the obvious

The short answer is a resounding YES. Tabling the stolen password argument for a moment and focusing simply on hackers ‘guessing’ or using the various tools at their disposal to crack your password, then yes, a somewhat randomized, not instantly obvious password (one NOT featuring your dog or kid’s name, which is often easily obtainable from your social media accounts, for example) is absolutely going to be harder to crack than Password123 or Sparky456, for example.

Some hackers will use programs that simply try more or less all of the combinations they can and, given enough time and tries, they’ll succeed, at least some of the time. And when they do, you’re sunk. So in this case, a strong lock is better than a piece of string on your digital door.

Now, back to whether it’s really important to have a unique password for each of your accounts – the answer here too is an emphatic YES. In Russia’s underground network, experts estimate that there are millions of usernames and passwords for sale at any given time, as a result of earlier cybercrime activity, much of it dating back years. Once hackers find a lucrative opening somewhere, or a new data source, you better believe they’ll make the most of it.

If your LinkedIn password and user ID combo is stolen, and that same combo opens five of your other accounts, including a credit card or bank account – like a master key opening several locks in your digital building – well, you can start to see how much trouble you’re about to be in. Think about how devastating that could be, and you might re-think your ‘same password for multiple sites because I’m lazy’ strategy. The best strategy is taking extra care of email passwords, since most other accounts are likely linked to that email address. And when you change, or, heaven forbid, forget your password, you’ll use that email account to reset and change that password.

Frequent changes needed

The other password hygiene recommendation is how frequently to change your password… If the password is strong and you haven’t been notified of a breach in your account then it’s fine to do a six- month cycle.  If your provider has been breached, then you need to act immediately to change that password.

Even if you follow all of the online cyber intelligence magazines and blogs on a regular basis, there is simply no way to stay ahead of all of the malware threats

One of the most insidious, pervasive and ‘productive’ hackers in recent years is allegedly responsible for a significant amount of the information now available on the Russian underground. Because he’s stolen data from such a wide variety of sources, researchers have named him “The Collector.” Multiply his activity by tens of thousands of other hackers and you start to see the breadth of the problem we’re facing.

People are panicking over the millions of passwords that may have been stolen from these recent high profile breaches. But those of us on the cybersecurity industry side are in no way surprised about these unfortunately regular occurrences. We hope for the best but plan for the worst each day. Consumers and businesses need to be on high alert every day as well and assume that cyberattacks will happen…and that credentials will likely be stolen.

Criminals are out there with around-the-clock, mature organizations that pay hackers, phishing experts and spammers to come up with brand new ways to obtain and leverage passwords, social security numbers, bank records, credit card and financial data, and even company trade secrets. To prevent the cybercriminals from winning, end-to-end security is required, which takes into account issues like endpoint, breach detection and secure web gateways.

Every day we need to be on the lookout for potential threats, but even with all of the latest information there is simply no way to stay ahead of all of the malware threats being generated daily, and in unprecedented numbers.

This is why a default-deny approach – compared to a standard default allow platform – becomes incredibly important, and why automatically containing all unknown files is the only truly safe option out there.

Every piece of malware starts out as an unknown file or link. Only when you protect yourself not only from all known malware but also from all unknown, potentially malicious, files and executables, can you truly stay safe while remaining entirely productive. Otherwise, it’s almost a guarantee that your system will be infected and infiltrated at some point. The only question is based on the severity of the attack, just how far your system and your data – and your customers’ data – will be compromised.

So, use ugly, hard to remember unique passwords, and change them early and often, and perhaps use one of the legitimate password apps or services on the market to help you keep track of them, back up your files regularly, and protect your business with a security solution built on a robust default deny platform featuring lightweight automatic containment to stop malware in its tracks.


How to turn your terrible password into one that will take 13 nonillion years to crack – without really changing it

LinkedIn data breach leads to hacking of Mark Zuckerberg’s social network accounts

Russia’s largest social network hacked – 100 million clear-text passwords stolen


feature security
Send us a correction about this article Send us a news tip