The recent exploits ofvarious hackers in publishing passwords and user lists from Yahoo, Formspring, LinkedIn and others show that the biggest weakness isn’t having the right security technology, but you as a user! While certainly these sites could have done a better job with securing user data, at the heart of these exploits is a glaring lesson that we all can learn: It is time to develop a better password policy and stop reusing them amongst your various online logins.
It isn’t any mystery to why password reuse runs rampant these days. We all have far too many login IDs to keep track of, and the easiest solution is to just reuse the same one (or a limited collection) over and over again. But this makes hacking into your online information child’s play: if someone can uncover the password from one place, they can run it through an automated routine and try dozens of others to see if you reused it. This is indeed what many hackers have begun doing, once they have confirmed one site’s credentials for your login.
And while IT managers can lock down their own email and database and Web servers with various internal policies, that doesn’t help matters if you reuse the same passwords (or even email addresses, as was discovered with the Yahoo hack) on online sites for your personal e-shopping and electronic banking. All it takes to gain access to your own network is to find an online site with weak password security and then trust that someone has reused the same password elsewhere.
A recent Washington Post poll found that 16% of all Internet users regularly reuse their passwords. It is time to stop this practice, and understand the dangers of password reuse. As Google says, “When you use the same password across the Web, a cyber criminal can learn the password from a less secure site and then use that password to compromise your important accounts.” The search giant has lots of great recommendations on personal password use on its UK blog.
Recently, one blog jokingly posted that children are being warned that the name of their first pet should contain at least eight characters and a digit. There is some truth to that, as many of us use our pet names in our passwords.
While it is easier said than done, you need to limit the reuse of passwords and avoid using common words. Make sure that your passwords contain a mixture of upper- and lower-case letters, and include at least one number. (Or at least add these things to your pet’s name.) And if you are responsible for your IT operations, please enforce minimum complexity standards and educate your end users about the dangers of password reuse.