There is a lesson here from the hacking reports we are seeing flying fast and furious.
You must strongly consider not using the same password more than once, especially on "important sites" like your banks, your schools, Facebook, Twitter (places that are your identity)
Use as long a password as you can and do not put any identifiable words, numbers, names or birthdays. If you must, write them down (despite what experts say) because it is more important you have separate, unique passwords for these important sites.
If one gets stolen (it seems corporate security measures, are at an all time low... worse than we ever imagined), and you use it for your bank as well... guess what happens next?
If you choose to write these down, protect the piece of paper like you would your credit card or SSN card. But it is more important right now that you have separate passwords than to "not write them down".
What we are discovering is that best practices for storing credentials are not even close to being followed. The Gawker hack may have showed way too many users are using "password" for their password, but it also shows that web programmers are NOT PROTECTING YOU.
The Sony hack shows that, even if you just use a Playstation 3, they still have your create a user name and password and you might be putting in your credit card information so you can make purchases quickly. That data is at risk if you reuse passwords on another site that is compromised.
The hacking at Sony started with Sony shutting down it's Playstation Network because they discovered they left the door open to copying game content. When the extent of just how lax was Sony was in their security practices, hackers pounced. They're going after every site Sony has any connection to in every country, looking for anything. And that's when the password stealing started heating up.
A web site should be able to protect your password by NEVER STORING IT. I know that might sound weird, but it is 100% true. There are much much safer ways to authenticate a user without actually knowing the true password. I won't get into the gory technical details, but just be warned that if you read a story about a hack where passwords were recovered, rest assured this is a company that does not deserve your business. They are not even following the best procedures of 1995, much less 2011.
The scary thing here is I think this is the tip of the iceberg. Now that we know that passwords are being kept in plaintext or in hashes that are not salted, hackers are more curious to see just how many web sites out there are not protecting you. You have to protect yourself.
If your bank is compromised and your password exposed, you can at least know that hackers can't use that information, by itself, to go log into all of your other banks, Facebook, Twitter, and web based email, because you don't use the same password twice.
To be perfectly honest with you, I do have to get going. I have to go change one or two passwords I've been neglecting.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment