Wednesday, June 24, 2015

7 must-know tips to help you create better, stronger passwords

The hacking misdeeds were described in a New York Times story based on the findings of Hold Security, a Milwaukee firm that has a history of uncovering online security breaches.
Hold Security, called the data "the largest known collection of stolen Internet credentials." Hold's researchers did not identify the origins of the data or name the victim websites, citing nondisclosure agreements. The company also said it didn't want to name companies whose websites are still vulnerable to hacking, according to the Times report.
Hold Security didn't immediately respond to inquiries from The Associated Press.
If there's reason to believe any of your passwords might have been compromised, change them immediately. One of the best things you can do is to make sure your passwords are strong.
Here are seven ways to fortify them:
- Make your password long. The recommended minimum is eight characters, but 14 is better and 25 is even better than that. Some services have character limits on passwords, though.
-Use combinations of letters and numbers, upper and lower case and symbols such as the exclamation mark. Some services won't let you do all of that, but try to vary it as much as you can. "PaSsWoRd!43" is far better than "password43."
-Avoid words that are in dictionaries, even if you add numbers and symbols. There are programs that can crack passwords by going through databases of known words. One trick is to add numbers in the middle of a word - as in "pas123swor456d" instead of "password123456." Another is to think of a sentence and use just the first letter of each word - as in "tqbfjotld" for "the quick brown fox jumps over the lazy dog."
-Substitute characters. For instance, use the number zero instead of the letter O, or replace the S with a dollar sign.
-Avoid easy-to-guess words, even if they aren't in the dictionary. You shouldn't use your name, company name or hometown, for instance. Avoid pets and relatives' names, too. Likewise, avoid things that can be looked up, such as your birthday or ZIP code. But you might use that as part of a complex password. Try reversing your ZIP code or phone number and insert that into a string of letters. As a reminder, you should also avoid "password" as the password, or consecutive keys on the keyboard, such as "1234" or "qwerty."
-Never reuse passwords on other accounts - with two exceptions. Over the years, I've managed to create hundreds of accounts. Many are for one-time use, such as when a newspaper website requires me to register to read the full story. It's OK to use simple passwords and repeat them in those types of situations, as long as the password isn't unlocking features that involve credit cards or posting on a message board. That will let you focus on keeping passwords to the more essential accounts strong.
The other exception is to log in using a centralized sign-on service such as Facebook Connect. Hulu, for instance, gives you the option of using your Facebook username and password instead of creating a separate one for the video site. This technically isn't reusing your password, but a matter of Hulu borrowing the log-in system Facebook already has in place. The account information isn't stored with Hulu. Facebook merely tells Hulu's computers that it's you. Of course, if you do this, it's even more important to keep your Facebook password secure.
-Some services such as Gmail even give you the option of using two passwords when you use a particular computer or device for the first time. If you have that feature turned on, the service will send a text message with a six-digit code to your phone when you try to use Gmail from an unrecognized device. You'll need to enter that for access, and then the code expires. It's optional, and it's a pain - but it could save you from grief later on. Hackers won't be able to access the account without possessing your phone. Turn it on by going to the account's security settings.

Tips & Tricks: Here's how you should create, manage, and store your passwords

So many online accounts, so many passwords. No wonder it's tempting to turn to apps and services that promise to keep track of your passwords. But these password managers are like treasure chests for hackers. If your master password is compromised, all your accounts potentially go with it.
One such service, LastPass, says it has detected "suspicious activity." Although it says it found no evidence that individual passwords or user accounts were breached, it's advising users to change their LastPass master password.
I advise users instead to rely less on just passwords.
Here are some tips:
All accounts aren't equal
Instead of having to remember dozens of complex passwords, maybe you need to remember only a half-dozen.
Focus on accounts that are really important:
— Bank accounts, of course, along with shopping services with your credit card information stored.
— Don't forget email. Who would want your mundane chatter? Well, email accounts are important because they are gateways for resetting passwords for other services, such as your Amazon account to go on a shopping spree.
— As for social-media accounts and discussion forums, maybe there are some you value more than others. You might not care if someone posts on your behalf to a discussion board offering tech support. But if it's a forum you value, and you've established a reputation under that identity, you might want to prioritise that, too.
For these highly sensitive ones, choose a unique password and remember it. Write it down by hand and keep it in a safe place. If you must store it electronically, use password-protected files kept on your device — not online. And don't name that file "password." Use something boring, like "chores."
Lower priority
For the rest of your accounts, it's not as bad to turn to a password manager, but it might not be necessary.
Web browsers from Apple and Google have built-in mechanisms for storing frequently used passwords. You even have options to sync those online if you use multiple devices. Google's new Smart Lock feature extends that to Android apps, too, so you're not limited to Web browsing.
Many services also let you sign in with your Facebook or other ID instead of generating new passwords each time. Make sure the ID service offers two-step verification, as I'll explain later. Turn that on.
Phones and fingerprints
If you haven't protected your phone with a passcode, tsk tsk! Someone can easily swipe your phone and get to your email account to unlock all sorts of other accounts.
Fortunately, the latest iPhones and Samsung Galaxy phones have fingerprint IDs that make it easier to unlock phones. Instead of typing in the four-digit passcode each time, you can tap your finger on the home button.
Apple now allows other app developers to use that fingerprint ID, too. So you can unlock banking apps with just a tap of your finger. In its upcoming Android update, called M, Google is also promising to make it easier for app makers to incorporate fingerprint ID. And Microsoft plans support for biometrics — such as a fingerprint or iris scan — in the upcoming Windows 10 system.
Double security
Major services including Apple, Google, Facebook, Microsoft and Dropbox offer a second layer of authentication, typically in the form of a numeric code sent as a text message. After you enter your regular password, you type in the code you receive on your phone to verify that it's really you. A hacker wouldn't have access to your phone.
You need to go into the account settings to turn on this feature, which goes by such names as two-factor authentication or two-step verification.
It's a hassle, but it keeps your accounts safer. Just assume that your password will get compromised at some point. This extra layer will keep the hacker from doing anything with it.
Even safer ...
When given a choice, consider signing in with your mobile number rather than your email address. It's much easier to hack into an email account to reset passwords. Of course, you'll have to trust the service not to use your mobile number for marketing. (I don't like to share my mobile number, so in many cases, I still use my email — knowing I have protection with two-step verification turned on.)
Also be careful when creating security questions to reset passwords. Your dog's name? Your first school? These are things someone might find on your social-media page or elsewhere online. I make up answers and make them as strong as my regular passwords.