First, the story. From USA Today.
I had someone ask me, because I do computer security, what to do about passwords. Here's a small primer.
* If you have a password that's under 12 characters long, it's too easy to crack. Change it.
I've had a few computers come to me, at work, where I need to find out what the password actually was. Resetting the local administrator password on Mac/Windows/Linux is ludicrously easy. Finding out what the password is can be more difficult. I use software that uses something called a "Rainbow Table" to crack these passwords. Short passwords are recovered in a few minutes.
* Don't use the same password for "social" websites that you use for your bank or other financial institution.
If I've successfully cracked the Woodwind Forum's password tables, the first thing I'd do is take that e-mail address and password and try it at a credit card company. Don't use your work password at home (or vice-versa), either.
* Use a password keeper and use that to generate your passwords.
At Gandalfe's suggestion, I started testing a program called LastPass about two years ago. Since then, I've seen other techs in my company use it and I'm really quite happy with how it works. It's not perfect -- it doesn't like entering the proper username and password on some websites -- but it's recommended. I just wish it'd work on everything, not just websites.
* Remember that your e-mail account is where you recover passwords. Reset these passwords monthly.
Almost every website I enter a password into has a way to reset your password: they e-mail you at the address you signed up with.
* For my sake, practice safe browsing.
I typically deal with malware and viruses where I work. An overwhelming majority of these problems come from people going to websites they shouldn't or clicking on links in e-mails that they shouldn't. Especially don't go to someplace other than the manufacturer to download software. If you need Adobe Flash Player or an update, go to www.adobe.com, not www.peteshouseofmalware.com. There are fake installers out there for just about every one of those little plug-in programs.
* Install some good antimalware and antivirus software and use it.
The best Windows products out there are free for personal use: Microsoft's Security Essentials and Malwarebytes' Anti-Malware. For Mac, Sophos is very good and also free for home use. I no longer tell folks that if they have a Mac, they're probably fine. Get Sophos. Really. And do quick scans with all this stuff at least weekly and full scans monthly.
* Don't be stupid.
I've come across lots of users that have a document on their computer called something like, "My secret list of passwords," and that document isn't even encrypted -- not that it wouldn't be easy to crack (see above).
I had someone ask me, because I do computer security, what to do about passwords. Here's a small primer.
* If you have a password that's under 12 characters long, it's too easy to crack. Change it.
I've had a few computers come to me, at work, where I need to find out what the password actually was. Resetting the local administrator password on Mac/Windows/Linux is ludicrously easy. Finding out what the password is can be more difficult. I use software that uses something called a "Rainbow Table" to crack these passwords. Short passwords are recovered in a few minutes.
* Don't use the same password for "social" websites that you use for your bank or other financial institution.
If I've successfully cracked the Woodwind Forum's password tables, the first thing I'd do is take that e-mail address and password and try it at a credit card company. Don't use your work password at home (or vice-versa), either.
* Use a password keeper and use that to generate your passwords.
At Gandalfe's suggestion, I started testing a program called LastPass about two years ago. Since then, I've seen other techs in my company use it and I'm really quite happy with how it works. It's not perfect -- it doesn't like entering the proper username and password on some websites -- but it's recommended. I just wish it'd work on everything, not just websites.
* Remember that your e-mail account is where you recover passwords. Reset these passwords monthly.
Almost every website I enter a password into has a way to reset your password: they e-mail you at the address you signed up with.
* For my sake, practice safe browsing.
I typically deal with malware and viruses where I work. An overwhelming majority of these problems come from people going to websites they shouldn't or clicking on links in e-mails that they shouldn't. Especially don't go to someplace other than the manufacturer to download software. If you need Adobe Flash Player or an update, go to www.adobe.com, not www.peteshouseofmalware.com. There are fake installers out there for just about every one of those little plug-in programs.
* Install some good antimalware and antivirus software and use it.
The best Windows products out there are free for personal use: Microsoft's Security Essentials and Malwarebytes' Anti-Malware. For Mac, Sophos is very good and also free for home use. I no longer tell folks that if they have a Mac, they're probably fine. Get Sophos. Really. And do quick scans with all this stuff at least weekly and full scans monthly.
* Don't be stupid.
I've come across lots of users that have a document on their computer called something like, "My secret list of passwords," and that document isn't even encrypted -- not that it wouldn't be easy to crack (see above).
