Untitled Document
Advertisement Click to advertise with us!

1.2 Billion Passwords Hacked and YOU


Brassica Oleracea
Staff member
First, the story. From USA Today.

I had someone ask me, because I do computer security, what to do about passwords. Here's a small primer.

* If you have a password that's under 12 characters long, it's too easy to crack. Change it.
I've had a few computers come to me, at work, where I need to find out what the password actually was. Resetting the local administrator password on Mac/Windows/Linux is ludicrously easy. Finding out what the password is can be more difficult. I use software that uses something called a "Rainbow Table" to crack these passwords. Short passwords are recovered in a few minutes.

* Don't use the same password for "social" websites that you use for your bank or other financial institution.
If I've successfully cracked the Woodwind Forum's password tables, the first thing I'd do is take that e-mail address and password and try it at a credit card company. Don't use your work password at home (or vice-versa), either.

* Use a password keeper and use that to generate your passwords.
At Gandalfe's suggestion, I started testing a program called LastPass about two years ago. Since then, I've seen other techs in my company use it and I'm really quite happy with how it works. It's not perfect -- it doesn't like entering the proper username and password on some websites -- but it's recommended. I just wish it'd work on everything, not just websites.

* Remember that your e-mail account is where you recover passwords. Reset these passwords monthly.
Almost every website I enter a password into has a way to reset your password: they e-mail you at the address you signed up with.

* For my sake, practice safe browsing.
I typically deal with malware and viruses where I work. An overwhelming majority of these problems come from people going to websites they shouldn't or clicking on links in e-mails that they shouldn't. Especially don't go to someplace other than the manufacturer to download software. If you need Adobe Flash Player or an update, go to www.adobe.com, not www.peteshouseofmalware.com. There are fake installers out there for just about every one of those little plug-in programs.

* Install some good antimalware and antivirus software and use it.
The best Windows products out there are free for personal use: Microsoft's Security Essentials and Malwarebytes' Anti-Malware. For Mac, Sophos is very good and also free for home use. I no longer tell folks that if they have a Mac, they're probably fine. Get Sophos. Really. And do quick scans with all this stuff at least weekly and full scans monthly.

* Don't be stupid.
I've come across lots of users that have a document on their computer called something like, "My secret list of passwords," and that document isn't even encrypted -- not that it wouldn't be easy to crack (see above).


Admin and all around good guy.
Staff member
This is really good and I will be pointing a lot of people to this write-up. Thanks Pete!

One article I read said changing your password on a site that can be hacked is an exercise in futility until the site gets updated. I am still waiting for the list of sites that got hacked so I can close my account on those.


Brassica Oleracea
Staff member
I think it's somewhat unlikely that we'll ever get a full list. I also agree with some of the pundits that are saying that if these passwords were for financial institutions, we'd hear something like, "The First National Bank of Pete was hacked." Unless, of course, the hackers just take a little off the top of multiple accounts in multiple places. Even a couple cents.

Cruising the web, I see that the e-mail addresses were sold/are being sold to spammers. I'm not terribly worried about more spam in my e-mail.

I read, someplace else, that a lot of these hacks were done through vulnerabilities allowing SQL injection ("A security hole where someone can put in some commands to make your server do bad things"). That's essentially what happened with us, a few months back. I'd hope that folks like, say, Amazon, have installed all the latest updates to prevent that kind of attack. Based on this attack type, it makes me more confident that the attack targeted more small operations -- like us -- rather than someplace huge, like the First National Bank of Pete. However, nobody's seen a list of who's been hacked, yet, so it's all speculation.