10 Password Tips to keep you safe online

Image of username and password fieldsA few weeks ago I started to receive SPAM emails from a friend of mine and it quickly became obvious that her email account had been compromised. Her account wasn’t compromised because of a phishing scam or because her computer had caught a nasty bug it was a simple case of a weak password.

I know my friends get bored of me banging on about how the name of their pet cat / mother / father is not a good password but I now have one friend who wishes they had listened to me!

The problem was that it was her business email address that had been compromised and after some embarrassing apologies to clients for the nature of some of these SPAM emails we set about trying to get control of the account back.

Now this was a Google account and the people that had hacked it changed the password so it was a few days until she could prove her identity to Google to enable her to get the account back.

In my experience people either use incredibly strong passwords such as $%^£@svr312£ and write them down (defeating the object!) or simple passwords such as password which are easily defeated in a dictionary attack.

Here are my 10 tips for secure passwords:

    1. Avoid Common Words – Sounds obvious but a study to find the top 25 leaked passwords of 2012 has revealed too many people are still using “password”, “123456” and “12345678” for their login credentials.
    2. Use different character classes – try to use a different character set in your password. A-Z is one character set 0-9 is another, so for example password could be Pa$$wor6
    3. Use letters from a phrase – You could use the first letters from a phrase e.g. To be, or not to be, that is the question would become tbontbtitq
    4. Don’t let the user include their user Name in the password – This just gives the attacker a head start, don’t do it!
    5. Keyboard Patterns  – Again, like a user name in the password, its best to avoid doing this. 12345 or qwerty will be one of the first sequences a hacker will attempt.
    6. Use more than one word  – A hacker running a dictionary attack will find it harder with more than one word e.g. football is easier to crack than iplayfootball
    7. Separate your two words with symbols and numbers – taking the above you could use i-pay@football this inserts random characters into your password.
    8. Don’t write it down! Use a phrase that only you know  – Writing down a password defeats the object of a password if you lose it! Use a memorable phrase or pattern such as an old computer e.g. Commodore-Amiga500+ or the colour and engine size of your first car e.g. V-Golf1600!!
    9. Use a different password for each site – Yes it can be complicated but it is a must if your password is compromised at least it will only be for one site. You could use:
      • amazCommodore-Amiga500+ for Amazon
      • hotmCommodore-Amiga500+ for Hotmail
      • googCommodore-Amiga500+ for Google
    10. Never share your password! – Seems obvious but it does happen!
    11.  Eleven? I thought you said ten password tips?! – I did but just to say it one more time, make your password secure!

Got a Mac? – Get Anti-Virus Software!

The Register reported yesterday on Apple’s advice that Mac users should use Anti-Virus software, well more than one peice of Anti-Virus software if Apples advice is to be followed. Well I agree, to a certain extent anyway, using two products may be a bit excessive especially as it will hit your system’s performance but I certainly think that using anti-virus software is a must.

Now contuary to what I wrote about Macs back in 2007 I do like using OS X and yes my XP laptop is looking a bit old in the tooth now and I hope to one day have enough cash to but a mac book pro (although I will use VMware or Pararells to run XP as well as OS x). I would never though run it without anti-virus software on it, what a stupid thing to do! Most Mac users that I know still think they are immune to malware and viruses, well you are not!

My mac in work has symantec anti-virus installed on it and out of curiosity I decided to take a look at the viruses that effected the mac, fair enough hardly any but I still come accross the MacOS.MW2004.Trojan and Mac.Simpsons@mm so even with these as very low risk viruses why would you want to be without anti-virus software? It escapes me!

Trojanised WordPress

As a daily reader of The Register website I was auite concerned when I came accross this article on a Trojanised version of WordPress doing the rounds on a fake site.

Apparently this fake site – Wordpresz.org is offering the ‘latest version’ which is apparantly 2.6.4. However the latest official version from WordPress is 2.6.3 which I upgraded two blogs to yesterday (Wednesday 5th November 2008). Although I was sure (as I always am) to double check that the download was from the official URL it didn’t stop me panicking so off I went to check on the two blogs that I had upgraded just in case.

The difference is a Trojanised version of pluggable.php and Sophos has since detected the malicious code as WPHack-A Trojan. According to posters on Craig Murphy’s Blog the Trojanised version of pluggable.php attempt to steal users cookies if you have five or more users. I should imagine further analysis pluggable.php may yeild additional code but until then watch this space!

Anyway all was well with my blogs but it does make you think always double check the URL of the links that you are clicking on. Are they what they appear to be?!