Ah, but there is something you can do to prepare for the next breach, explains F-Secure Labs lead researcher Jarno Niemelä.
‘The trick is to use a really long random password for each online account,” he tells us. “The password length should be at least 20 symbols and numbers, but preferably 32.”
Criminals who attempt to crack the password databases use various forms of attack based on words found in the dictionary. And far too often, people reuse the same password over and over — often for their most critical accounts.
If there has been a breach and the password has been stolen then no matter how random and strong your password is it is in the public domain and trouble could follow.
That’s why different uncrackable passwords must be used for each of your online accounts. That way if one passwords is breached, only that account is at risk.
Sounds easy, right? But…
“Humans in general are really bad password generators,” Jarno says. “No matter how unique you think that your password is, it’s components are still likely to be in some dictionary, and powerful cracking clusters will come up with the exactly right combination.”
But there are a few catches for this tip — and two of them depend on the security practices of the service you’re using.
First, the site or app has to accept long passwords, and then the developers behind the software have use any kind of “hashing” for the passwords they store.
Hashing employs an algorithm to hide passwords so they’re not stored in clear text. It’s a relatively basic practice that you can figure most reputable companies will employ. (And Jarno actually recommends developers take further steps to protect passwords.)
“So you as a customer cannot affect what kind of password storage the service providers are using,” he says. “But you can still frustrate all but the most advanced attackers efforts by using long enough random passwords.”
So now you may be thinking, “Great! I have uncrackable passwords. They’re also impossible to memorize.”
Jarno recommends “some form of password storage” — like F-Secure KEY, which you can use on one device for free. Many password lockers like KEY will help you generate extra long passwords, too.
“Also it might be a good idea to use an unique username per service, and maybe unique email addresses for critical services,” Jarno says. “The unique username will give you added privacy as you cannot be tracked easily across services.”
He gives this advice to his own kids to use as they play online games. Jarno also teaches his kids to limit their digital footprint by regularly changing their username or any alias for any game that makes their identities visible.
“Better teach them the basics of good OpSec — operational security — when they are young.”
[Image by fdecomite | Flickr]
After F-Secure principal security consultant Tom Van de Wiele stepped into the #CyberSauna for the second episode of…
January 19, 2018