Monday, December 20, 2010
(F) More on Passwords for websites
The recent Gawker password and account breach shows us that all these 'cloud' service sites like Gizmodo and Gawker Blog comment sites expose us if or when their security fails. Many websites like Gawker/Gizmodo where you have to register to leave a comment and be notified when someone comments on the same thread you did, leaves us with the question:
'How do we structure our passwords for the InterWebings'?
Users of the no longer optional Internet must have a set of rules that will allow you to use the Internet safely and able to withstand a major breach where our email address, which is our Internet login for most websites, along with our password has structure and rules we apply to keep us safe and isolate types of websites from others. If a breach occurs, like Gawker showed us, many other cloud sites like Facebook, Twitter, LinkedIn, Yahoo and others locked all the accounts from the Gawker breach that match their users.
Why? Because too many of us use the same password for sites like Gawker for other sites like Facebook, Twitter and even our Banking. If you are one of these users, who have one password for every type of website, you ARE at extreme risk of getting your access compromised on other websites when a breach like Gawker occurs and why many websites locked your account if the emails used matched the Gawker breach list.
With this in mind... Let's craft some recommendations.
1. Create a formula for at least four (4) passwords for types of websites.
2. Use some type of password manager solution
3. Optimally use a password manager that you can use random passwords for eve website.
Four password formula:
Using of course a terrible example to make it easy to understand, let's say your password is, well 'password', something you should never use, but will work for the example. Minimum length is 8, the best length is 12 or more.
Password - easy for blogs and things you just don't care if it got breached
Passw0rd - you care a little more or some sites require 3 out of 4 items (upper, lower, number, special), not long enough
P@55w0rd - more secure using all items, but not long enough to be secure, use for Facebook or Twitter
S3(urep@55w0rd - Secure password as it is long and uses all items. Use this for financials or setup SuperGenPass or LastPass to generate one for you.
Of course having a different password for each website is best which you can get with SuperGenPass and LastPass that can generate a unique password for each website and all you have to remember is your long pass phrase instead of a bunch of passwords that are probably not that secure.
I recommend SuperGenPass and LastPass for truly secure, random and easy to remember passwords. Not to mention if a site got Gawked, LastPass let's me change the password quickly.