A recent report from Trustwave found that about two million accounts from popular services including Facebook, Google, Yahoo Twitter, LinkedIn have been comprised. The security researchers found that a keylogger tool associated with the Pony botnet enabled thieves to harvest the user names and passwords. The trove, according to Trustwave, consisted of 1,580,000 website login credentials, 320,000 email account credentials, 41,000 FTP account credentials, 3,000 remote desktop credentials and 3,000 secure shell credentials.
In a statement, Facebook said that it had iniated a password reset for people who’s passwords were exposed and recommended that people “protect themselves when using Facebook by activating Login Approvals and Login Notifications in their security settings,” so that they’ll be notified if someone tries to access their account from an unrecognized browser.New logins, according to the statement, “will require a unique passcode generated on their mobile phone.”
Researchers analyzed the passwords and found that the most common was “123456″ followed by a series of other equally easy to guess options. Overall, 34% of the passwords were rated as bad or terrible. Only 5% were good, 17% were excellent and 44% were medium. The “excellent” ones were 8 or more characters long and used a combination of uppercase letters, lowercase letters, numbers and special characters.
General advice about passwords
Passwords should be strong, secure and unique and should not be based on real words, names or anything else that’s easily recognized or guessed. One trick is to come up with a phrase and use a letters, numbers and symbols associated with the words. For example, the phrase I met Sally Jones in Chicago in 1998 might be easy to remember but you can turn it into a strong password by using the first letter of each word plus the date and a symbol such as ImSJiCi#1998. It’s easy to remember which letters to capitalize because they’re proper nouns.
Don’t use the same passwords for each account but you can use a similar pattern. For example, you might as FBA (for Facebook account) as part of that string for your Facebook account or GLE if it’s a Google account. You get the idea. Mix them up so that each is unique.
Tips and slideshow
Here are some password tips from ConnectSafely and here’s a slide show.