This all came about because of the recent news that 6.5 million LinkedIn passwords were compromised. As it turns out, mine was one of them. This has forced me to reevaluate how I use passwords on the Internet. My old scheme was to maintain a small number of moderately complex passwords. Anytime I needed a password for a new site on the Internet, I would use one of these passwords. That way I only have a small number of passwords to remember. For years this worked great. I've been on the Internet since 1994 and never had a compromised password... until last week. Because I use a small number of passwords, since that one password was compromised that puts all the other sites where I used that same password at risk.
Before I get into password security and the changes I've decided to implement, I wanted to talk about how passwords are compromised. The way in which malicious people get their hands on your private information has definitely changed over the years. But I believe they have settled on 4 different approaches:
- Good old fashion trial and error. I don't think it's very common, but guessing over and over is always an option. After all if your password is "password" or something really simple, all they need to do is figure out your username.
- The weakest link in computer security is almost always the human. If you can trick the human into giving up their password that is far easier than any other approach. That is why "phishing scams" are so common. Fake web sites designed to look like the genuine thing, bogus emails designed to trick the user - these are just some of the ways in which they try and exploit the human. And it's not always the fault of the human. Sometimes these attacks are so technically advanced that it's near impossible for the person to realize something's wrong.
- The first computer viruses were designed to inconvenience the user by erasing their hard drive and destroying their data. But with the introduction of the Internet, virus writers realized the data on the hard drive is valuable. So now they write virus to extract data off your hard drive. Whether that's your addressbook, personal documents, passwords, credit card numbers, etc. They want it all. So another common way to have compromised passwords is by a virus/malware on your system.
- The final, and usually most difficult, approach is to directly hack into the site. Now I'm not talking about trying usernames and passwords over and over until you find one that works. I'm talking about hacking into the system and stealing large numbers of usernames and/or password. This is what happened at LinkedIn recently, as well as eHarmony. Not to mention the huge Sony Playstation hack from a several months ago. These attacks are not easy and usually undertaken by groups of highly skilled technical people.
I should point out that 1, 2, and 3 can usually be avoided if you, the user, are careful. However, the fourth has nothing to do with you. It has to do with how good the security is at the website where you signed up. So you could be the most paranoid person and take every precaution with your password security, and it still may be compromised.
No comments:
Post a Comment