I scoured the web for news, tips and information on passwords
We begin with some bad practices, then finish off with a list of great tips and proper practices.
From TG Daily
http://www.tgdaily.com/business-and-law-brief/48280-internet-users-too-dim-to-protect-themselves
Internet users use the same password for both serious and recreational browsing
A study has shown that internet users do few favors for themselves and re-use passwords for social networking sites on online banking sites too.
Trusteer sampled four million users of its browser security service – many of whom, it said are customers of the biggest North American banks.
Incredibly, many of them use their login credentials for online banking and other financial services to login to other sites on the internet.
An astonishing 73 percent of the people surveyed their banking password to login to other sites while nearly half just use the same password for both serious and recreational browsing.
The danger is, Trusteer says, is that the re-use of online banking credentials is exploited by crooks who find it easy to harvest the logins from webmail and some social network websites. Once they’ve got the passwords and usernames, the criminals start systematically trying to login to bank accounts to see if users are as dumb as they appear to be.
Amit Klein, the chief technology officer of Trusteer said: “Our findings show that consumers are not aware, or are choosing to ingore, the security implications of re-using their banking credentials on multiple websites.”
Trusteer offers some guidelines for web surfers. You should keep at least three sets of credentials, one to be used only for financial websites, the second for nonfinancial websites that hold information about your identity and the third for non-sensitive websites.
It also has some advice for financial institutions – educate customers and set their risk engines to higher sensitivity.
Do you use the same passwords for everything? Think about it, if a site is compromised in a way that attackers get your password, their next stop will be to use these and attempt to gain access to serious sites like banking.
From CNET News
http://news.cnet.com/8301-27080_3-10445898-245.html
Twitter reset password for an unknown number of users.
Twitter reset passwords for an unknown number of users on Tuesday whose accounts appeared to have been compromised via phishing.
“As part of Twitter’s ongoing security efforts, we reset passwords for a small number of accounts that we believe may have been compromised offsite,” the company said in a statement.
Some Twitter users apparently “used their Twitter username and password to sign up for an untrusted third-party application which then posted Tweets to their account,” a spokeswoman said.
“While we’re still investigating and ensuring that the appropriate parties are notified, we do believe that the steps we’ve taken should ensure user safety,” the statement said. “We’ll continue to provide updates as warranted at @safety and @spam.”
Users who want information on what to do if their accounts have been compromised can visit this page and learn how to use Twitter safely here.
Update 12:05 p.m. PST: In response to a reader e-mail suggesting that there may have been a breach at Twitter, Del Harvey, trust and safety director at Twitter, said there was no data breach at the company.
“We’ve noticed a high correlation of users with accounts on third-party Torrent sites and users’ accounts that we believe are compromised. It’s possible that this person falls into this category. It’s not a result of a data breach on Twitter.”
Update 08:40 a.m. PST: Twitter reveals torrent scam details
Twitter has revealed the back story on why it reset passwords this week for many of its users.
The phishing attacks that forced Twitter to change account passwords stemmed from discovery of a scam being run by a torrent Web site creator, explained Del Harvey, Twitter’s director of trust and safety, in a blog post Tuesday evening.
Twitter had found that someone for the past few years had been building torrent sites and forums requiring a log-in and password. This person then sold these Web sites and forums to people interested in starting their own torrent download sites.
Click here for the full CNET updated article
Password tips from SANS Institute
http://www.sans.org/tip_of_the_day.php
Change your password on a schedule.
Passwords are like bubble gum; they are better when fresh. The longer and more complex your password is, the harder it is to crack, and the less often you’ll need to change it. If you use an 8-character password, you should change it about every six months. Remember: Never use a password with less than 8 characters. If you use a 9-character password and follow the rules about uppercase and lowercase letters, numbers, and symbols, it will stay fresh for a whole year. If you can’t remember the last time you changed your password, it’s time to change it.
Make your password complex.
A good password should contain a mix of all the four types of characters: uppercase and lowercase letters, numbers, and symbols. Any character on your Windows or Mac keyboard is legal in a password you make for your own computer. Remember to include at least 8 characters and avoid common words and proper names. Some characters may be illegal for certain networked systems; when in doubt, try it out. Another way to make your password complex is to base it on a word in a foreign language with a least 8 letters, avoiding common words and proper names. Just add a number, a symbol, and a capital letter or two as you go.
Don’t tell ANYONE your password
One way someone could learn your password is to phone you claiming to be from another part of your organization, maybe your IT or Audit teams, and say they need your account details to let them investigate problem. This should never be necessary. Good systems are set up so that nobody but you will ever know your password and authorized IT workers have their own accounts giving them access to what they need.
Don’t check “remember my password” boxes
Numerous programs offer the option of “remembering” your password. Unfortunately, many of them have no built-in security measures to protect that information. Some programs actually store the password in clear text in a file on the computer. This means anyone with access to the computer can read the password. It’s best to retype your password each time you log in eliminating the possibility that someone will be able to steal or use it.
Do not allow Internet Explorer to store passwords for you
Stored passwords allow anyone who can access your machine to log in to your web accounts as you. In addition, there are numerous utilities that can expose that hidden information and actually reveal the password. If you’ve reused that password for other logins, many systems or web sites could be compromised.
Use STRONG passwords!
How to create and remember a complex and unique password
One great tip I use is to come up with a phrase or quote you will always remember. Create your password using the first letter from each word in your phrase. Mix it up with upper and lower case. Add in a number and/or a character like the ~ (tilde). Finally the unique part is to add in the bank or site or service name into your password. You will then have a unique memorable password for each website, bank, or service you use. Lastly, remember to change it on schedule as the above tip recommends.
Example:
A friend is one who has the same enemies as you have. Abraham Lincoln
Now take the first letter of each word.
afiowhtseayh
Add in some upper case letters of your choosing. I’ll just use the first and last letter.
AfiowhtseayH
Finish off this example with a ~ (tilde)
AfiowhtseayH~
That is now my base password.
The final step is to add the web, bank or service name into your password and here I’m capitalizing the second letter of the service.
Make up your own pattern and phrase, placing the service name within the password in a spot you will remember.
AfiowhtseayH~bOa
AfiowhtseayH~tWitter
Tags: banking, best practices, email, Facebook, myspace, password, Secure, Tips, twitter
[...] See Password best practices [...]