June has already been a bad month for getting hacked. Professional networking site LinkedIn, dating site eHarmony and CBS-owned streaming radio site Last.fm all reported that user password data from about 8 million accounts was stolen.
While all advised their customers to change their passwords — LinkedIn went so far as to disable compromised accounts, forcing users to create new passwords — changing your password isn’t enough.
Attackers have new strategies, and companies have responded with better protection methods. Combined, these two factors have changed what it takes to make a safe password.
In the “old” days, cybercriminals ran dictionary programs to reveal passwords. A piece of software could try billions of combinations every second to enter an account. That’s why you’ve been warned not to use words found in a dictionary.
Maybe you don’t even use words, just a string of random letters, numbers and a special character thrown in to comply with so-called strong password standards. Again, technology has advanced so that even seemingly random strings can be generated in a fairly short time.
But that hasn’t proved efficient enough for some cybercriminals. By breaking into online company records, they could steal passwords and associated user information. Why hassle with a one-at-a-time approach when you could get a list of millions, ready to exploit? Enter the data breach.
Today, many companies don’t even store your password because it’s too risky. Instead, they “hash” account holders’ passwords, using algorithms to change a simple password into a really long string of numbers.
But even that hasn’t been enough. The next step was to “salt” the hash and add extra characters for protection. As it turned out, LinkedIn revealed that it did not use the salting technique.
But the real problem for companies lies in the practice of using out-of-the-box programs to protect data, meaning that duplicated security makes it possible for sophisticated criminals to decode stolen data. And that can be a problem for you.
What can you do? Security experts urge people to dump their 8-character passwords and consider 12 characters as the new minimum.
Here’s the difference in going from eight to 12. An 8-character password means that there are 722 trillion possibilities based on 26 upper-case letters, 26 lower-case letters, 10 numbers and 10 special characters. A 12-character password increases the possible combinations to 19 sextillion — a number that for the time being is too big for criminals to crack.
Length doesn’t mean your new password will be harder to remember. Any four common unrelated words that add up to more than 12 characters is now considered one of the most secure password configurations. Use an entire sentence if the site will allow it — the longer the better.
But one safety rule that hasn’t changed is to never use a password for more than one account if that site contains sensitive information, such as your online banking account.
It’s unlikely that a criminal could do much with your LinkedIn password — these types of passwords sell for $1 or less on the black market, compared to bank account passwords that can sell for up to $850 each, according to security firm Symantec — but if you’ve used your LinkedIn account password for your bank site, you could be in big trouble. Those cheap and often easier to steal passwords are routinely used to unlock accounts on more lucrative sites and that’s why you must use unique passwords.
“Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess,” Randall Munroe wrote to accompany his now famous cartoon on the blog xkcd.com.
So pick four words that are easy for you to remember, and you’ll be safer than you are today.
Have a question? Email Leslie Meredith at firstname.lastname@example.org, or join her at AskLeslie on Facebook or Leslie Meredith on Google+.