June 06, 2011

Protect Yourself: Tips for Online Passwords and Password Security

Catherine Sanders Reach

Are your online accounts hacker-proof? Two recent high-profile security breaches raise concerns about the safety of online accounts and highlight the importance of taking steps to better protect accounts from Internet criminals.

Former Alaska Gov. Sarah Palin was the victim of the first incident. Last year hackers gained unauthorized access to her Yahoo! e-mail account and posted some of her messages online in an attempt to publicly embarrass her. The second incident happened just last month when a hacker accessed the private e-mail accounts of employees of microblogging company Twitter. In that case, more than 300 internal company documents were stolen and subsequently posted on the Internet.

How did these breaches happen? In the Palin incident, hackers took advantage of her webmail service's password recovery system. Anyone who has an online account, such as one for e-mail, shopping or banking, is familiar with these recovery systems, which can retrieve or reset a user’s account password, if forgotten. While this feature is helpful for legitimate reasons, obviously, there are weaknesses that hackers can exploit.

Many password recovery systems are not secure enough. Most of them only require users to answer simple personal questions to obtain their passwords. These questions—such as "What high school did you go to?" "What is your mother's maiden name?" and "What city were you born in?"—can often be answered after doing a simple Internet search. The availability of personal information on the Web, found on posted online resumes and corporate bios, blog postings, profiles on social networking sites, as well as in databases culled from public government records and other sources, makes it easy for hackers to gather sufficient personal information to answer these questions.

Hackers figured out the answers to several of Palin's password recovery questions by reading Wikipedia and other Web pages that contain Palin’s personal information, including her birthdate and where she first met her husband. Although few people are important enough to have their own Wikipedia entry, the kind of information on that site might be found elsewhere online, such as on blog postings and social networking sites.

Inadequate security also contributed to the incident at Twitter. A hacker researched several Twitter employees on the Internet, then with some luck, patience and determination, used the information he found to beat a password recovery system to gain access to one employee’s e-mail account. In addition to that employee, the wife of company founder Evan Williams was another victim. From Williams’ account, the hacker obtained more personal information, allowing him access to the user’s other accounts. One of those accounts contained internal company documents including confidential financial, human resources and strategy documents. Among Web sites the hacker accessed were some of the Internet’s most venerable Web presences, Google, PayPal, Amazon, AT&T and GoDaddy.

This was not the first time Twittter employees were victimized. In another incident earlier in the year, a hacker gained access to internal company accounts by using a password generation program.

To help avoid having your online accounts hacked, follow these tips:

  1. Use strong passwords that consist of a combination of upper and lowercase letters with numbers and symbols. Avoid using dictionary words and personal information as passwords. Consider using the first letter of each word in a complex sentence, poem or song title.
  2. Use a password that is 12-14 characters long.
  3. Check the strength of your password with a tool from Microsoft
  4. Do not use the same password for multiple accounts.
  5. Erase password recovery e-mails from your e-mail accounts so that if an intruder hacks one of your accounts, he will not have easy access to the passwords of several others. Likewise, do not leave unencrypted personal information such as credit card numbers and social security numbers in your e-mail accounts.
  6. Do not have obvious answers to password recovery system questions. Have answers you will remember, but will be difficult for hackers to guess—in effect, treat your password recovery answers as passwords.
  7. When signing up for an online account, add a secondary e-mail address to that account, if prompted. Typically, password retrieval systems will send an e-mail message to that account, which you must access before you can receive the password you seek. It’s a second layer of defense that prevents a hacker from gaining access to your account on the spot if he guesses the answers to your recovery questions.

This article first appeared in YourABA e-newsletter, a monthly publication distributed via email to all ABA members.  Learn more about the benefits of belonging to the American Bar Association.

Catherine Sanders Reach