Monday, September 13, 2010

Why you should use a password with base entropy + complexity

The premise is simple. By now you have an account registered in hundreds of places. Some companies such as Amazon, Google and Microsoft go through pains to be sure that your information is secure. However, occasionally, you find yourself registering with a small run-of-the-mill eTailer that can't afford an army of security people. Let's assume you registered using the same password that you use for your email and your bank.  Now all that a hacker needs to do is exploit the weak security of the eTailer to steal your password and email address. Then using those credentials, he/she logs in to your email account and uses the built-in search utility to find a time that you disclosed your bank account username. Maybe it was a password reset or maybe you emailed it to yourself for "safe-keeping".  In some cases, banks use your social for a username which is even more dangerous!

No matter, he/she now is armed with your bank account login ID, your email account and your favorite password. Oh wait, doesn't the bank is ask a question like "What was your first car?" or "Who do you most admire?" No problem, the hacker can login to Facebook with your email address and favorite password and look for one of those "100 things you didn't know about me" notes. While it's statistically unlikely to happen, password re-use makes it all too easy.  What's more concerning is that many cyber-criminals these days aren't very technical, they literally buy the hacking software they are going to use.  This means mass-production!

Here's an idea. Use a complex base password: something with numbers, letters and a special character or two. Say it's six digits like: i2!@bh.  You can remember that right?  It's only six digits!  Then complicate the rest of the password with something that reminds you of the site you're visiting. For example, 12!@bhamazonia for your Amazon account and 12!#bhgoogoo for your Google account. You get the idea. Just don't re-use the same password.

Good luck, and use safe-surfing practices!

No comments:

Post a Comment