You need to change your password right now, and here’s how
Your passwords are under siege Your passwords are under siege so, it needs to be dynamic — changes with time — while being easy to remembertech Updated: Jun 11, 2016 16:19 IST
In 2016, our email addresses; username on Twitter, Facebook, Instagram, Snapchat; phone number on WhatsApp and iMessage have become more of our identity than the number printed on ID cards like Aadhaar. The only thing keeping an imposter from taking over them is a string of letters, numbers and symbols called password. But the efficiency of this method seems to be fading with softwares like keyloggers recording every letter we type, hacker breaking into databases full of passwords and most users resorting to easy-to-crack passwords for easy retention.
Last month, LeakedSource revealed that LinkedIn’s claim of 6.5 million password being jeopardised was quite underestimated. According to a report, emails and password of 167,370,910 accounts have been obtained by LeakedSource as proof. The source is the LinkedIn hack of 2012. A couple of Russian hackers involved in the heist have been selling these credentials on the Dark Web according to the Wired. The report starts getting really scary when you’re told that, “167 million user accounts from LinkedIn, 360 million from MySpace, 68 million from Tumblr, 100 million from the Russian social media site VK.com, and most recently another 71 million from Twitter.”
“As LinkedIn comes clean about the security breach, it is even more noticeable that cybersecurity is something you can’t ignore anymore. Such breaches certainly make you question every platform on the web and calls for everyone to be extra careful about the passwords they chose and the security solution they use. It is advisable to have unique characters in the passwords and not to have similar passwords for all the social platforms. Hackers are leaving no stone unturned to expose your intellectual property, your personal information and any data that is valuable. Ultimately, education and awareness play a big role in securing your data. Keep yourself informed of the threats as these are found so you can defend your systems accordingly,” said Nilesh Jain, Country Manager of Trend Micro on LinkedIn hack.
While many won’t be worried about your LinkedIn, Myspace or Tumblr passwords, the Twitter bit will get to most. The social network despite its turbulent present, remains as one of the most popular mediums of expressions, and source of information. Despite denying claims of their password database being breached, the company posted a blog post to offer some advice on better measures to keep your account safe. A recurring theme in the post remained advice to regularly change your password and avoiding predictable ones — if you fall into either of these categories, change your password right now.
Another situation that should force you to change your password is having a common one for multiple accounts — Facebook, Twitter, LinkedIn among other. If you have a common password even for two sites, it’s likely that the hackers are selling them as well. If you don’t think that can happen to you, you need to read our report on Facebook CEO, Mark Zuckerberg’s LinkedIn, Pinterest and Twitter accounts being hacked.
However, database breach isn’t the only way hackers get their hands on our passwords to eventually sell them on the black market for a few Bitcoins — buyers then use these accounts to make money by posting spam through them. Also, there are viruses that can infect your PC, install a keylogger and record every keystroke you make. But now, it seem that they’re even trying to use the login details obtained from one hack to crack the password of other accounts that victims hold. They’ve realised that a lot of people, including me use the same password for multiple accounts.
You’re probably reminded of the time when you were told by a ‘sign up’ form that your password needs to have a number, before someone decided to change the rule to one number and a symbol. Now few services very particular about their user’s security also require a lower and upper case alphabet in the passwords. So, the gem of a password you crafted for easy remembrance and used for all your accounts, isn’t safe! But don’t panic. We might have a solution for you. At least for now.
While passwords are the only authentication method to have stood the test of time, our ability to set a secure one seems to be inefficient — clearly stated by the list of top 40 passwords of LinkedIn accounts hacked in 2012. These passwords make it seems that the just had to write a program that would use hit and trial approach to match the most common passwords with email IDs they’d sourced from a mailing list — easily available on the web.
Jugaad according to Wikipedia is a colloquial word, literally meaning a hack
To understand how strong a password is, you need to understand how they’re hacked:
>Keyloggers record every keystroke and the only way to keep them at bay — not a 100%, but close to that — is repeatedly changing it once in a few weeks.
>Brute force attack tries random strings of alphabets and numbers to guess your password. So, use a mix of lower and upper case alphabets with numbers and symbols to keep them from being an easy guess.
>Have a different password for every account you hold.
Taking all of these factors into account, won’t make your account hacking-proof, but at least reduce the likeliness of it getting hijacked. If you’re in India, you’re going to need every bit of precaution out there. Because, according to a report by F-Secure, Indian users are increasingly being affected by NjwOrm, a rogue software, which “spreads via infected removable drives and files attached to e-mails. If the user unwittingly uses the drive or file, it opens a backdoor on the device, steals saved passwords, web site for more instructions.” With India becoming a popular destination for hackers to infiltrate, it’s time we became more cautious about our e-mail and social network accounts.
How to get a secure password for free: Use a cipher
I was introduced to cipher text by mystery novels and the college course on network security only made it more intriguing. A cipher is something that makes sense — and is easy to remember — only to you. A good password in 2016 has to be dynamic — changes with time — while being easy to remember. To build one, you will need three things: a word of your choice, the month of the year (June for now) and the website’s name.
>First, zero down on a word like hash and then change it to #@5# because the symbols and number resemble the alphabets in that word.
>Now write the name of the month with the first letter in upper case because that’s how proper nouns are to be written.
>Then add the first and last letter in the website or app’s name — for Twitter it would be tr and for Facebook, it would be fk.
>Finally, put all of these together in the order you like, and you have a password that’s safe to use, at least for a month.
>Also, change the password every month, so that even if a hack leaks it, you rescue it, hopefully before they take control of your account.
This exercise may seem like too much work, but like medical checkups for your body, it is necessary to keep your identity safe online. If you’re still feeling lazy, at least change the passwords to the accounts that are extremely personal and confidential — for the sake of others. There are password generators and password keepers like keylogger too, but they can be limiting, expensive and most of times inconvenient. You could think fingerprint or two-factor-authetication (using one-time-passwords sent to your mobile number) is the answer, but when under siege, even that can be fooled. So, for now, try this method right now at least for your friends and family.
First Published: Jun 11, 2016 16:14 IST