OK, Folks! Today’s lesson is Password Security.

Friday morning I got up and sat down to start checking my e-mail. About then a message from Mom pops up. It was spam. Now, spammers forge the sender name all the time, so I was only a little anoyed. But when I checked the headers I found this had actually come from Mom’s account. They’d cracked her password and were using her account to spew their garbage at everyone in her address book. Fortunately my name was near the top of the list, so we were able to cut them off quickly.

Now in this case, the spammers objective was simple. Exploit someone’s e-mail account to send links to their pharmaceuticals site. People are more likely to open links in an e-mail from someone they know than some random source.

I used to handle abuse mail for a local ISP and one thing I had to deal with time after time was accounts that had been exploited in one way or another because the customer had a weak password. On contacting the customer to let them know this had happened I commonly heard “but there’s nothing on my account to steal.” The thing is, the people stealing accounts aren’t looking for anything to take from you. They want the access. It’s like someone looking for a get-away car. They don’t want a flashy, expensive car, they want something nondescript. Worse, they’re going to park it back in your driveway and leave you to explain to the cops.

Not too long ago I read about a study done on a password list that had been publicly posted by the people that had stolen it. Mind you, the study released no login and password information itself. Commonly, most passwords were simple words or worse, sequences of letters or numbers, such as “12345678” or “abcdefg”. Passwords like that are subject to what’s called a dictionary attack; a computer program is used to try all of the most common passwords first, then it uses a dictionary. Trust me, sooner or later, someone’s going to try it against one of your accounts. Adding a few digits or or substituting digits for letters doesn’t do a whole lot of good. They’re on to that.

A strong password should be more or less random. The more random the better. That means capital letters somewhere in the middle, as well as numbers and even special characters (such as the ones above the numbers on your keyboard). And they need to be LONG! Eight characters long is nothing these days. Time to start looking at 10 or 12. As an example: 8#&#”6%h6X

Creating strong passwords isn’t that hard. Open a book to a random page. Use the first letters from each line, throw the page number in there somewhere and any special characters on the page. Or, open a text editor or word processor program, close your eyes and peck at random on your keyboard, then replace a letter or two with a capital letter. Or you could look up a strong password generator on the web, like: http://strongpasswordgenerator.com/

Of course, memorizing strong passwords is a pain, I know. So once you’ve got a good password there’s a temptation to use it over and over. I’ve been guilty of that myself. But that gets into the next password weakness. Every month you’ll read about one site or another being hacked and the password lists (or worse, credit card lists) stolen. Someone will be trying out those logins and passwords on other services, especially since so many sites now want you to use your e-mail address as your login.

I think that’s how they got Mom. Some of her other friends had their e-mail accounts hacked as well, for the same sort of spam. Very likely they were registered on a site that either had its password list stolen, or worse, was set up to steal passwords in the first place.

DON’T use the same password for your e-mail accounts, work accounts, and financial accounts on anything else. If anything, your e-mail account needs the strongest password, since it can be used to recover lost passwords for many other services you use. Really, you should use a different password for every site. Why? Sometimes if there’s nothing else to do, the dirtbags will simply engage in ruining your reputation and/or friendships.

So, in summary:

1)Don’t assume you’ve got nothing they want. They want access to the service, not your data.
2)Don’t keep it simple. It may be hard to remember, but that means it’s hard to hack.
3)Don’t use the same password over and over. Your password is only as secure as the system you’re logging on; which may not be secure at all.
4)Do take this seriously. It takes less time to set up good, strong passwords than to deal with what will happen if you get hacked.