Choosing the password is only the first step; you've got to remember it. Experts caution that your password should be something that you can remember but, not too easy for others to figure out. And they also warn agains writing passowrds down. I admit that I, like many others, have my computer save some passowords by setting my browser to autofill. I fear the day when my computer goes down and everything is lost forever.
Some people turn to software called password managers to store their passwords. Password Safe, is a free, open-source Windows utility created that protects the passwords in one spot using strong encryption. You just need to remember one password to open it up. But you have to be using the computer on which it's stored to use it.
LogOnce Toolbar, is a free password manager plug-in for Internet Explorer that stores the information locally or on a remote server and lets you access the passwords from different computers.
Tip to choosing your passwords.
What makes a strong password
To an attacker, a strong password should appear to be a random string of characters. The following criteria suggested by Microsoft, can help your passwords do so:
- Make it lengthy. Each character that you add to your password increases the protection that it provides many times over. Your passwords should be 8 or more characters in length; 14 characters or longer is ideal.
- Combine letters, numbers, and symbols. The greater variety of characters that you have in your password, the harder it is to guess.
- Use words and phrases that are easy for you to remember, but difficult for others to guess. The easiest way to remember your passwords and pass phrases is to write them down. Contrary to popular belief, there is nothing wrong with writing passwords down, but they need to be adequately protected in order to remain secure and effective.
In general, passwords written on a piece of paper are more difficult to compromise across the Internet than a password manager, Web site, or other software-based storage tool, such as password managers.
Password strategies to avoid
Some common methods used to create passwords are easy to guess by criminals. To avoid weak, easy-to-guess passwords:
| • | Avoid sequences or repeated characters. "12345678," "222222," "abcdefg," or adjacent letters on your keyboard do not help make secure passwords. |
| • | Avoid using only look-alike substitutions of numbers or symbols. Criminals and other malicious users who know enough to try and crack your password will not be fooled by common look-alike replacements, such as to replace an 'i' with a '1' or an 'a' with '@' as in "M1cr0$0ft" or "P@ssw0rd". But these substitutions can be effective when combined with other measures, such as length, misspellings, or variations in case, to improve the strength of your password. |
| • | Avoid your login name. Any part of your name, birthday, social security number, or similar information for your loved ones constitutes a bad password choice. This is one of the first things criminals will try. |
| • | Avoid dictionary words in any language. Criminals use sophisticated tools that can rapidly guess passwords that are based on words in multiple dictionaries, including words spelled backwards, common misspellings, and substitutions. This includes all sorts of profanity and any word you would not say in front of your children. |
| • | Use more than one password everywhere. If any one of the computers or online systems using this password is compromised, all of your other information protected by that password should be considered compromised as well. It is critical to use different passwords for different systems. |
| • | Avoid using online storage. If malicious users find these passwords stored online or on a networked computer, they have access to all your information. |
The "blank password" option
A blank password (no password at all) on your account is more secure than a weak password such as "1234". Criminals can easily guess a simplistic password, but on computers using Windows XP, an account without a password cannot be accessed remotely by means such as a network or the Internet. (This option is not available for Microsoft Windows 2000, Windows Me, or earlier versions) You can choose to use a blank password on your computer account if these criteria are met:
| • | You only have one computer or you have several computers but you do not need to access information on one computer from another one |
| • | The computer is physically secure (you trust everyone who has physical access to the computer) |
The use of a blank password is not always a good idea. For example, a laptop computer that you take with you is probably not physically secure, so on those you should have a strong password.
Keep your passwords secret
Treat your passwords and pass phrases with as much care as the information that they protect.
| • | Don't reveal them to others. |
| • | Protect any recorded passwords. |
| • | Never provide your password over e-mail or based on an e-mail request. Learn more about phishing scams and how to deal with online fraud. |
| • | Change your passwords regularly. |
| • | Do not type passwords on computers that you do not control. Criminals can purchase keystroke logging devices for very little money and they take only a few moments to install. These devices let malicious users harvest all the information typed on a computer from across the Internet—your passwords and pass phrases are worth as much as the information that they protect. |
What to do if your password is stolen
Be sure to monitor all the information you protect with your passwords, such as your monthly financial statements, credit reports, online shopping accounts, and so on. Strong, memorable passwords can help protect you against fraud and identity theft, but there are no guarantees. No matter how strong your password is, if someone breaks into the system that stores it, they will have your password. If you notice any suspicious activity that could indicate that someone has accessed your information, notify authorities as quickly as you can. Get more information on what to do if you think your identity has been stolen or you've been similarly defrauded.
If criminals or other malicious users steal this information, they can use your name to open new credit card accounts, apply for a mortgage, or pose as you in online transactions. In many cases you would not notice these attacks until it was too late.
Example from the FBI and the Department of Justice of one Prosecuted Password Theif
In the first prosecution of its kind in the nation, a well-known member of the “botnet underground” was charged today with using “botnets” – armies of compromised computers – to steal the identities of victims across the country by extracting information from their personal computers and wiretapping their communications. installing malicious computer code, or “malware,” that acted as a wiretap on compromised computers. Because the users of those compromised computers were unaware that their computers had been turned into “zombies,” they continued to use their computers to engage in commercial activities. the defendant used the malware, which he called a “spybot,” to intercept electronic communications being sent over the Internet from those zombie computers to www.paypal.com and other websites. Once in possession of those intercepted communications, the defendant and the others sifted through the data to mine usernames and passwords. With Paypal usernames and passwords, the defendant and the others accessed bank accounts to make purchases without the consent of the true owners.the defendant also acknowledged in the plea agreement that he transferred both the wiretapped communications and the stolen Paypal information to others. It is the first time in the nation that someone has been charged under the federal wiretap statute for conduct related to botnets. In another scheme,the defendant installed malware on zombie computers running Microsoft operating systems, causing them to disgorge usernames and passwords from a secure storage area known as the PStore. the defendant and his co-schemers caused the zombie computers to send that account access information to computers that the defendant and his co-schemers controlled. Once again, the defendant located Paypal usernames and passwords among this data and used that authentication information to access victim bank accounts.
Finally, the defendant acknowledged defrauding an Internet advertising company with his botnets. the defendant signed up as a consultant with a Dutch Internet advertising company and promised to install the company’s programs on computers only when the owners gave consent. Instead, Schiefer and two co-schemers installed that program on approximately 150,000 computers that were infected with their malware. To avoid detection by the advertising company, Schiefer instructed his associates to moderate the number of installations so it appeared that the installations were legitimate and not the result of a malicious computer program that was propagating itself. the defendant was ultimately paid more than $19,128.35 by the advertising company.
0 comments:
Post a Comment