Recently I’ve seen unsolicited SPAM e-mails coming directly from other peoples’ e-mail and social networking accounts. They’ll often post messages afterwords claiming that their accounts had been hacked. I’ll usually ask these friends, “Do you use the same password on multiple websites?” and the ensuing “Yes” response from them is followed by, “Change your e-mail password, and also, you need to learn something about password security.”
If your e-mail or social networking (Twitter, Facebook, et cetera) account is sending out unsolicited messages on your behalf, it is unlikely your account has been hacked and much more likely that either your password has been scraped or that you’ve granted 3rd party access to a malicious service or application. If neither of these has occurred, then there is a possibility that you account has indeed been compromised using some type of exploit, however this typically is not the case.
How can someone gain access to your e-mail account without knowing your password? Have you ever signed up for a new website or service you wanted to try out? Did you give them your e-mail address during registration? Did you use the same password you used for your e-mail account?
Newer websites and services that haven’t been globally trusted may be scraping your passwords during registration and testing them against the e-mail account you provided. Once gaining access, it’s easy to scan e-mail for messages from other services and begin requesting access to other accounts associated with it.
You may have also registered with a new website or web service that is not necessarily malicious. They may just be storing your password insecurely and unencrypted. A potential hacker may have discovered a security exploit allowing them to access that password data.
The solution isn’t to simply use only trusted sites. Using new services and trying new concepts is what helps the Internet grow. Plus, even large trusted services can have their security compromised by badly written code allowing third parties to gain access to your data. The better solution is to use unique password for every website. How would you remember a unique password for every website? You’d use a password algorithm.
Many Internet users typically use the same password for multiple systems. Some people use a slightly more secure technique of having different levels of passwords. They may use one for unsecured sites, such as social networking or instant messaging, another for secure sites such as e-mail and a very strong one for computer and bank passwords. Although this is better than using the same password everywhere, it’s not replacement for the security provided by a unique password algorithm.
A good password algorithms can be based off the website the password is intended for. For instance, you can take the first or last letter of the website, combine it with a pin number or short password, and then tack on a character representing something else about the site. For example, you could add a letter representing the top level domain (e.g. The letter ‘A’ for .com, ‘S’ for .net, ‘D’ for .org and ‘F’ for others).
You could also use something on the site itself, like the company’s primary color or the background color of the website. Although using something on the page itself may change over time, this may also force you to continually change and rotate out passwords.
You can be creative and find many different ways to create a good password system. However there are a few basic rules you should try to follow to ensure good password selections.
- Make sure your pattern will always give you a password with at least one capital letter, one lowercase letter and one number
- Ensure your system always gives you a password between 8 and 9 characters long. Many websites have restrictions on length and 8 or 9 characters ensures your password will never be too short or two long
- Avoid special characters. Many websites ban these (due to ignorance) for security and it’s much more difficult to remember exceptions to your password system.
- Chose a system you can remember easily, but that’s not easy to understand should someone get a hold of one of your passwords.
In addition to individual passwords for each website, you should also have secure passwords for non-web related systems such as company computers/networks and home computers.
You don’t need to change every password at once when you come up with an algorithm. Just start changing passwords as you access sites you use more frequently. Whenever you access a website with your old password, go into that website’s account options and change it. You can then gradually adjust to a new password algorithm over the course of a few weeks.
- Never use your web browser’s password store to remember passwords for you. Turn it off, remember your password system and commit them to memory.
- Always remember to log-off your accounts on computers that are not yours or that you cannot secure.
One serious piece of contention in the network security industry are the increasing use of security questions. Although they are used to alleviate customer services calls, the questions themselves are easily guessable.
In an 2009 IEEE Symposium on Security and Privacy, researchers from Microsoft and Carnegie Mellon University showed that in a study involving 130 people, 28% of the people who were known and trusted by the studies participants could guess the correct answers to participants’ security questions. Even people not trusted still had a 17% chance of guessing a participant’s answers1.
Some security experts suggest typing in random letters for security questions, going through the additional burden of calling the company should one’s user account become locked. Others suggest using a similar password algorithm as described above to generate a separate password for the security question. Without doing one or the other, the system a user is accessing gains an automatic backdoor to his or her account, defeating the purpose of having password based security in the first place.
A better solution to using security questions is to use reset codes sent to user’s e-mail addresses, or combining an e-mailed reset code with both security questions and locking an account after several bad attempts. While this is a better solution, many websites cannot implement these e-mail based password reset systems because they allow multiple accounts to use the same e-mail address.
Authentication without Password
Another item to watch out for are services which ask for a password to another services. For example, a new social networking site that may ask for your e-mail password in order to search for friends that might be using the new service. While at one time this was the only way for third parties to access information on your account, it isn’t any longer.
Now almost all major services support some type of single sign-on authentication. Twitter uses an OAuth based system, Facebook has their own Facebook Connect system, Microsoft has LiveID and Google has third party account authentication. These systems work by directing you to a given service (Facebook, Twitter, Google, etc.) with a security token. On that site, you log-in and authorize the token granting the other website limited access to your account.
The advantage of this system is that if the 3rd party service does start doing something malicious, such as sending spam messages to your contacts, you can simply revoke the applications access to your account without having to change any passwords. Most services even allow their users to report malicious applications, which could cause their application tokens to be rejected permanently for all users.
Password security is critical in a world where so much of your personal information an accounts can be accessed electronically. Developing and protecting a good password system is more important in many ways than defending your social security number.
At a minimum, you should have different levels of passwords: An insecure password for social networking websites and other trivial services, a high security password for e-mail, payment accounts and other high security services, and finally an ultra secure password for critical websites such as on-line banking.
Ideally, you should create a password algorithm for all web passwords. Algorithms should always generate 8 to 9 character passwords that include at least one capital letter and one number, and the system should be easy to remember yet difficult to understand should one or more password become compromised.
If a user suspects a malicious website or application has gained access to one of his or her accounts, the user should change the password on that account immediately. Using an algorithm for generating passwords ensures that other accounts won’t be comprised. Without it, a user may have to change password on several websites afterwords.
Switching to a password system from a single universal password may seem a bit cumbersome, but the transition is a lot easier than one would anticipate. I switched from a set of three passwords to an algorithm three years ago and now have a much greater degree of confidence about the security of my information.
1 Are Your Secret Questions Too Easily Answered?. Lemons. Technology Review. May 18, 2009.