Stolen passwords? I know. Again, I have to change mine, again!

by Wally Moore

on August 15, 2014

in blog, passwords

Stolen passwords

I like routine and the feeling of ease and convenience that it brings. When it comes to things like car keys, combination locks and passwords, I take them all for granted. Because they’re just that, routine, easy and convenient and always around. I use them and they just work. It’s the same thing every day; blessed routine. I especially like tried and true, well-worn passwords. You probably know the kind I’m talking about, the ones I used for so long that I had them memorized.

This was very  helpful in my line of work (IT support for small businesses) and in my personal life as well. Because we use multiple passwords all day long, every day, memorizing passwords was a real time saver.

But do I use car keys all day long? Nope, I only use them once or twice a day. I have lost them, but they don’t change, I just have to remember where the heck I put ‘em. What about the combination lock? How often do I use it? Well, uh, I don’t. I think the one in my junk drawer was for my locker at the gym, maybe. I can’t remember the last time I went to the gym. But that’s not a problem. If I lost it, or it was stolen, no one else could use it either! But passwords are different.

Bad people will steal them and they’ll steal yours if you let them  ;)

Passwords are important

With my penchant for the ease and convenience of routine, you can probably imagine (well maybe not) how I felt when I read this story last week: Russian Hackers Amass Over A Billion Internet Passwords. It was published by the New York Times (originally reported on by Hold Security, a research firm that helped track the Adobe and Target breaches last year) about a Russian crime ring that hacked over 1.2 billion (not million) user name and password combinations.

As I read the article I starting shaking my head. Then I leaned over my keyboard, planted my face in the palms of both hands and sighed, “You’ve got to be kidding me. Again?! Another major data breach? Didn’t we just do this people?! I do NOT want to change my passwords AGAIN.”

Your passwords must change

But even with my penchant for the ease and convenience of routine, and certainly not wanting to change any passwords, I am happy to report that yes, as a matter of fact, I do change my passwords. It’s what I have to do. And all too soon it will be time to do it again. And then after that we’ll do it again, because security conscious people do it on a regular basis. They change passwords.

The reality of Passwords

Regardless of whether the current news about the Russian hackers is hype and myth, or credible and concerning, it’s ALWAYS a good idea to regularly (at least every 3-6 months) change your passwords on any sites that could have important data, such as banking, financial, health care, and social networking, and to never use the same password, or “relatives” of that password (doggie1, doggie2, 2doggie, doggie3) on different sites.

Changing passwords is something you should do anyway, regardless of whether there’s a “current” concern. There is ALWAYS a “current” concern. Remember, these news events typically hit the media weeks or months after the breach has already occurred. Wouldn’t you like to be ahead of the problem, instead of reacting to the problem?

So . . . even though I love routine, and would just as soon continue to use my favorite well-worn passwords in Wally’s world, there is no other alternative. I have to change my passwords. Having my identity stolen causes great concern for me, the company I work for, my family and our way of life. That’s why for some time now I have changed my passwords on a regular basis.

How to create passwords

Perhaps you’re like me?

If that’s the case, take heart and be encouraged. We have six really simple tips on how to create passwords that are secure. Plus it’s easy peasy to do!

The following are the “generally accepted” rules for creating a secure password:

1.   There must be a minimum of one capital letter, one number, and one symbol.

2.   The number and symbol must not be either the first nor last character (i.e. must be somewhere “in the middle”).

3.   The capital letter must not be the first letter of any word.

4.   The password must be a minimum of 8 characters in length, preferably 9-10.

5.   Must not contain common keyboard patterns, like qwerty or asdfjkl – these are commonly used and easily hacked.

6.   The password is not used anywhere else.  No sense making “one great password” and then having your favorite e-mail site’s password list hacked and compromised, only to reveal the password you use for your secure banking sites. 


Password1$ - Is NOT secure

pas$sw1oRd – IS secure, even though it uses the identical characters, just with different capitalization.

There’s still only one word, but the security comes from non-standard capitalizations and unusual placements of the symbol and number. Seasoned hackers use tools that can easily guess common security myths, like putting a “!” at the end of your password.

The passwords we commonly use and recommend are derivations on two words with a symbol, such as siGnal$port4l  (“signal portal”) — these are easy to remember (i.e. no one needs to write it on the post-it note stuck under their keyboard), and yet very secure at the same time.

Conclusion on passwords

Let’s wrap this up by sharing a sobering quote from the aforementioned New York Times article:

Yet for all the new security mousetraps, data security breaches have only gotten larger, more frequent and more costly. The average total cost of a data breach to a company increased 15 percent this year from last year, to $3.5 million per breach, from $3.1 million, according to a joint study last May, published by the Ponemon Institute, an independent research group, and IBM. 

Last February, Mr. Holden (of Hold Security) also uncovered a database of 360 million records for sale, which were collected from multiple companies.

“The ability to attack is certainly outpacing the ability to defend,” said Lillian Ablon, a security researcher at the RAND Corporation. “We’re constantly playing this cat and mouse game, but ultimately companies just patch and pray.”

Do you need some password help?

The whole process of creating and managing passwords is annoying, but you must change your passwords. There is no alternative. The world is not a safe place.

If you’re the CEO, owner, or manager of a small business and you need a little help with creating and managing passwords, we can assist you. We’re experts in getting a great password-management product onto your systems that will help you keep track of all passwords.

Give us a call if you think about it. We’re always happy to chat!

Dedicated to your success
Wally Moore
dts|infotech   . . . computer networks that work