Jun 14, 2011
Just recently the Lulz Security hacker group pawned the US Senate exposing the directory contents of it’s web server. With the recent attacks on many corporate and government sites, what can we do to protect our online presence? While we are helpless when the problem lies on the server itself, there are things that we can do to put a layer of defense to avoid our accounts being compromised.
Using different passwords on each site should be done strictly. We should use a different password for Facebook, Twitter, MySpace and emails. So that when a particular site has been exploited by hackers, the other accounts cannot be compromised. Sometimes, the security team of a particular site automatically reset the password if an account has found to be compromised by hackers. A good example is that the Facebook security team automatically reset the password of all accounts found on the list posted by Lulz Security. The list was extracted from www.pron.com database and it contains about 25,000 user accounts and passwords. With this initiative, Facebook users can remain calm amidst the attack. You see, you’ll be in trouble if you’re using same password for multiple sites.
But using different passwords means trouble in remembering them all. In addition to this problem, some sites will require you to provide complex passwords. Most of the time complex passwords contains a combination of numbers, letters and other characters like @&!#|> etc.
To start learning in creating complex but easy to remember passwords you must get used to some geeky stuff. These are not so geeky, so don’t be afraid. First we should avoid using ‘weak passwords’. Here’s some list defined by wikipedia about weak passwords.
- Default passwords (as supplied by the system vendor and meant to be changed at installation time): password, default, admin, guest, etc. All are typically very easy to discover.
Dictionary words: chameleon, RedSox, sandbags, bunnyhop!, IntenseCrabtree, etc., can be automatically tried at very high speeds.
- Words with numbers appended: password1, deer2000, john1234, etc., can be easily tested automatically with little lost time.
Words with simple obfuscation: p@ssw0rd, l33th4x0r, g0ldf1sh, etc., can be easily tested automatically with little additional effort.
- Doubled words: crabcrab, stopstop, treetree, passpass, etc., can be easily tested automatically.
- Common sequences from a keyboard row: qwerty, 12345, asdfgh, fred, etc., can be easily tested automatically.
- Numeric sequences based on well known numbers such as 911 (9-1-1, 9/11), 314159… (pi), or 27182… (e), etc., can easily be tested automatically.
- Identifiers: jsmith123, 1/1/1970, 555–1234, “your username”, etc., can easily be tested automatically.
- Anything personally related to an individual: license plate number, Social Security number, current or past telephone number, student ID, address, birthday, sports team, relative’s or pet’s names/nicknames/birthdays/initials, etc., can easily be tested automatically after a simple investigation of person’s details.
- First you have to write down your password the usual way without obfuscation. Example: THE QUICK BROWN FOX
- Now, let’s put some simple obfuscation replacing the letters with numbers. Example: T43 QU1K B20WN F0X
- Then let’s convert ‘spaces’ to another character, say ‘+’. Example: T43+QU1K+B20WN+F0X
- To complicate things further, we can make the first letter of each word to ‘lower case’. Example: t43+qU1K+b20WN+f0X
At first, it seems very difficult to do this. But when you become used to it, you can clearly read ‘t43+qU1K+b20WN+f0X’ as ‘THE QUICK BROWN FOX’. Just don’t forget your ‘style’ or ‘pattern’ in creating your password. Go ahead, try creating your own and make your online presence much secure. Have a nice day.