We use them every day, and they’re crucially important — yet, far too often we’re lazy and careless about them. Passwords, and the importance of keeping them secure, are once again in the news after word emerged Wednesday of a data breach that put more than 272 million passwords and account credentials at risk.
Milwaukee-based cybersecurity firm Hold Security reported that a Russian hacker had offered a tranche of 1.17 billion credentials for about $1, because the cybercriminal was more interested in the notoriety that the theft of the cache would bring in the hacker community. The passwords and usernames belonged to accounts from Russia’s largest e-mail provider, Mail.Ru, as well as to Gmail, Yahoo Mail and Microsoft Hotmail.
As it turned out, only about 272 million of the credentials were unique and only 42 million were credentials that Hold Security had not previously encountered. In addition, none of the passwords was encrypted. Hold Security eventually concluded that the credentials were probably gathered from older data breaches and were meant to be sold cheaply to lower-level hackers and spammers.
Don’t Reuse Passwords
But even though the hack didn’t turn out to be as disastrous as it could have been, IT security professionals still used the occasion to preach the importance of carefully managing user passwords.
Tyler Reguly, manager of security research at data security firm Tripwire, told us that one key step is to avoid reusing the same password between services — such as using the same password to access a bank account that’s used for an e-mail service.
“Often, when we see lists like this published, they are compiled from other data breaches and taken from other stolen password lists but marketed as credentials for the service associated with the e-mail address,” said Reguly. “If you avoid reusing passwords, you can quickly identify which service provided the password and [whether] there’s any risk to your other accounts.”
Hackers often use stolen e-mail information to get users to give them information such as birthdates, credit card numbers as well as bank account numbers. In 2014, cybercriminals stole $16 billion from nearly 13 million consumers.
Change Passwords Often
Passwords should be changed regularly, perhaps even once a month, according to security experts. They also advise that users not use the names of their children or pets as passwords, since that type of information can be easily found on Facebook and other online outlets.
Craig Young, a security researcher also with Tripwire, told us that users should change their passwords frequently and take advantage of two-factor authentication, which requires a user to input a separate verification code from a device separate from the one where the password was entered. “Even slight changes within a password are an effective tool at safeguarding your data when there is a massive breach,” said Young.
Employing unusual combinations of letters, numbers and characters can also be a good way to create a password that’s harder to crack. And mixing languages or even running together song lyrics can deter hacking programs.