HUNTSVILLE, Ala. (WHNT) – This week we learned a Russian crime ring stole 1.2 billion username and password combinations. The hack is the largest of its kind and is raising new awareness of the vulnerabilites of the web.
Experts tell CBS News and the Associated Press there are a number of things consumers can do.
The first priority? “Change all passwords immediately,” advises Adam Levin, chairman of identity theft protection and remediation firm IDT911.
Here are some tips, courtesy of CBSNews.com and the AP, for crafting the best possible passwords going forward:
- Make your password long. The recommended minimum is eight characters, but 14 is better and 25 is even better than that. Some services have character limits on passwords, though.
- Use combinations of letters and numbers, upper and lower case and symbols such as the exclamation mark, if the site allows. “PaSsWoRd!43” is far better than “password43” — although increasingly sophisticated hackers may still be able to crack it.
- Substitute characters. For instance, use the number zero instead of the letter O, or replace the S with a dollar sign.
- Avoid words that are in dictionaries; there are programs that can crack passwords by going through databases of known words. One trick is to add numbers in the middle of a word — as in “pas123swor456d” instead of “password123456.” Another is to think of a sentence or phrase and use just the first letter of each word — as in “tqbfjotld” for “the quick brown fox jumps over the lazy dog.”
- Avoid easy-to-guess words, even if they aren’t in the dictionary. Don’t use your name, company name, hometown, or pets’ or relatives’ names. Likewise, avoid things that can be looked up, such as your birthday or ZIP code.
- Never reuse passwords on multiple accounts — with two exceptions. If the password is for one-time use, such as when a newspaper website requires you to register to read the full story, it’s okay to reuse simple passwords. Just make sure the password isn’t unlocking features that involve credit cards or posting on a message board. The other exception is to log in using a centralized sign-on service such as Facebook Connect. Hulu, for instance, gives you the option of using your Facebook username and password instead of creating a separate one for the video site. This technically isn’t reusing your password, but a matter of Hulu borrowing the log-in system Facebook already has in place. The account information isn’t stored with Hulu. Facebook merely tells Hulu’s computers that it’s you. Of course, if you do this, it’s even more important to keep your Facebook password secure.
- Use two-step verification. Some services such as Gmail offer this option, in which the service sends a text message with a six-digit code to your phone when you try to log in from an unrecognized device. You’ll need to enter the code for access before it expires. Hackers won’t be able to access the account if they don’t have your phone. Turn on this feature in Gmail by going to the account’s security settings.