As it turns out, the reported leaking of 5 million Gmail accounts and their passwords last week wasn’t caused by a Google system breach. It is now thought that the passwords were probably obtained through malicious programs on end user machines, as well as successful hacks into other services with the same credentials as Gmail. Whatever the cause, it is clear that we have seen a significant number of hacks in recent months causing much annoyance to the users of those services.
Such a security breach or password dump is often followed by a mad rush to change ones password for the affected site (and any other services using the same details), coupled with the worry of whether information has actually been taken and if you’ve forgotten to update a particular service.
If anything is to be learnt from such events, it’s that large companies and established names are still vulnerable. It’s a daunting prospect and some might say, a hazard of the information technology age that we have to accept. And, whilst I do agree in part, I’d also like to share some ‘top tips’ on how to reduce the chance of your details being leaked, or at least, how to limit the damage should you become a victim.
Many websites now offer what is known as two-step verification or One-time Password (OTP). It involves installing an application such as Google Authenticator onto a smartphone. You sync the application with your required service, e.g. Gmail, and the application generates a new password every 60 seconds. Now, when you try to log into Gmail, as well as your usual password, you will also be asked for your OTP. This means a hacker will need to know both in order to access your account, and in the event of your computer or database being compromised, they still require more information in order to access your account. I highly recommend enabling this on any service that offers it.
Different password for each service
The logic behind it is fairly simple, if you have a different password for each account that you use, should one get hacked, you only have to change the compromised password. This is not just protection against a particular service being hacked, but protection against malicious services themselves. The majority of websites offer the chance for you to create an account with them, can you be sure they will not attempt to log into other services using the same credentials.
Use a complex password
We use passwords to secure confidential systems and accounts, yet mostly choose a password that is not complex at all. It is often a trade-off between something that is obscure enough so that others are unlikely to guess it, but simple enough for us to be able to remember it. This may help us stop the average colleague from guessing our details, but in reality it will not stop someone with any real intent. Rather than sitting at a computer trying to guess your password, they will use a piece of software that can guess 100,000’s of passwords in a second. This allows them to easily crack short passwords, even if capitals and special characters are used. With a database in their possession, hackers have plenty of time to deploy all manner of attacks, but by choosing a complex password, you can go from a password that takes days to hack, to one that would take years. It often helps to think of a phrase and then to use the first letter of each word in that phrase to make a password. For example ‘My first child was born at King George Hospital on 19/08’ would be [email protected]/08. As you can see in the example given, this password would be difficult for anyone to guess but would be relatively easy for the creator to remember it, it would also take a sophisticated password cracking machine, many years to crack.
Whilst it can be difficult remembering a complex and unique password for every service you use, there are some great utility programs out there that can help you manage multiple passwords. In fact, Steve touched on a couple of these in a previous blog on useful utility programs, which I plan to review in my next article, comparing their features and security.
Finally, I would like to point out that Google were actively monitoring the internet for password breaches, testing the authenticity and locking down the accounts of those who were legitimately affected.
Priority One – IT Security