Since our beloved forum was recently hacked, we've all become much more sensitive to security issues.. and since they originally got in by cracking the password on my account I've suddenly become a major advocate of Strong Passwords...

The hacker claimed to have gotten in using a brute force technique, which means he tried every possible password until he found the right one (using a computer program, of course). It sounds scary, but it's really not that hard to protect yourself, if you know how.


Easy to Remember = Easy to Hack
Traditionally, we've all wanted to use passwords that we can easily remember, because we're afraid of forgetting them and being locked out. Unfortunately, in this day and age of cyber-thieves, we can't afford that convenience. A password is easy to remember if it follows a pattern or if it's made of real words and phrases. Both of these attributes make them very easy to crack by a computer. Pattern matching is one of the things that computers do best, and a Dictionary Search uses lists of known words to speed up the cracking process, so real words leave you open to hacking. Like it or not, you need to use a random password.

Re-using Passwords is Suicidal
These days you need passwords for just about everything you do online, and one can quickly feel overwhelmed by all those crazy character strings. There's a strong temptation to use a single password at multiple sites, just to keep things simple. Remember, simple for you means simple for a hacker. If just one password is compromised, every account that uses that password is compromised. That's an opening the size of the Holland Tunnel, and a hacker WILL go through it. Again, it's not convenient, but you must use a unique password for every single account you create.

Short, but Not So Sweet
Another error many folks make (and a major reason why THF fell victim) is to use short passwords. Again, this is more convenient for humans, but again it's more convenient for hackers as well. In my case, I used a password that was only 6 characters long. With just lower case letters, that allows about 309 million possible passwords. Seems like a lot, but it only took 'a few hours' for the hacker to guess it. If I'd used 8 characters instead, there would have been 209 billion possible passwords.. See what a difference just adding 2 characters makes?!!

Character Symbols - The More, The Merrier
Merrier for you, not the hackers... My THF password used only lower case letters. That means there were only 26 characters available. That played into the hacker's hands by cutting down on the number of possible variations. If I'd used a mixture of upper case and lower case letters, the character set doubles in size, and instead of 309 million variations, there would have been 19.8 billion variations, even with a password only 6 characters long. Clearly there's a benefit to using a larger character set. Add in all ten available numerals (0 throuh 9) and you add even more strength to your password.

What I Did Wrong
Many, many, things... I used a short password with a small character set made of real words and re-used it for other accounts. SHAME ON ME!!! I violated every rule in the book, and unfortunately THF and its members suffered along with me. But I've learned my lesson, and now I use long, random, multi-character set passwords, and every one of them is unique. I won't say how long, but it would now take the fastest computer in the world over 30 billion years to crack my passwords using brute force!! I think that's fairly safe...


for now

Zimbu, thanks for introducing this thread to our members. It should almost be compulsory reading, especially for the newbies among us, although it`s good for all of us to be reminded that complacency can be dangerous.

I thought I`d add some guidelines that one email provider has written on the same subject.

Because of the importance of this topic I`ll sticky it.

__________________
The Endangered Harpy Eagle : Versatile Tomatoes : Money Saving Ideas
Gardening Features : Manchester United Champions : Making the Internet a Safer Place for Kids

Good stuff, Geoff... But I still feel I should use completely random passwords for maximum security, which reminds me to add a few items to my previous post:

KeyLoggers - The Ghost in Your Machine
Having a good strong password is a great idea, but even then there's a chance that your security may be compromised without your even knowing it, and right under your nose (or more accurately, fingers..). Your passwords could be stolen by a KeyLogger program. KeyLoggers are virus or spyware style programs which hide in your computer and secretly watch you type. They gather all kinds of information, including your passwords, e-mail and home addresses, phone numbers, credit card and checking account numbers; anything you type on your keyboard can be collected then sent back to the hacker using your own internet connection.. It's obscene to be violated so, but you don't have to accept it. Firewalls and antivirus and antispyware are a must, of course.. but should a KeyLogger slip by you could still be compromised. You need another line of defense...

RoboForm = RoboCop for Your PC
RoboForm is a wonderful utility that not only protects your passwords and other sensitive information, it makes them much more convenient to use as well. With RoboForm, you don't need to type your sensitive information into login screens, order forms and the like - you just click a button and RoboForm automatically inserts the data into the proper place. That way, a KeyLogger sees nothing, and your data is secure.
As an added - and very important - benefit, RoboForm makes it easy to keep track of a large number of passwords by storing them all in encrypted files, ready to access whenever you want, just by clicking the button. When you browse to a website login screen, RoboForm recognizes the website and automatically selects the correct login information! This is exactly what we need these days when unique, long, random passwords are so important. No longer must we worry about making passwords easy to remember, RoboForm remembers them all for us! It will even generate long, twisted, random passwords whenever you need one, again at the click of a button...
There's still more, but you should go to the The RoboForm Website and see for yourself. There's a free trial version that will let you manage up to 10 passwords for about 30 days, but even the full version only costs $30, so it's well worth buying. You'll wonder how you ever lived without it!!

Does the RoboForm helps to fill up applet entry pages as well?

I mean those special type of fields which are generated by applet, not forms, java or html.

I'm not sure, but my guess is no. It installs as a plug-in for the browser, so I suspect it only works with HTML/PHP type stuff. There might be more info on the RoboForm site, though....

Nice one, Zimbu

__________________
My "High Yield Investing and Gambling" Blog.

It does NOT work for applets or java.

Zimbu, very good information.

__________________
4X CAMPUS! - LEARN TO TRADE FOREX SUCCESSFULLY!!

FREE FOREX TRADE ROOM!
Download: Click Here!
Password: ghost

A salutary tale comes from another forum where I`ve been watching a thread on a member who had his e-gold account hacked, with the loss of over $200.

Once inside his e-gold account the hacker had his way, and took complete control over it, changing security settings and so on.

The part that amazes me is that he used the same password for his e-gold account as he does for at least one HYIP he`s in. He may have also used the same p/w for his-email account, I don`t know.

If he was lax in using the same p/w the chances are he also used a `weak` password.....

Coincidence that someone hacked into his e-gold account? I doubt it. Sadly he learnt the hard way, but at least now he`s cleaned up his computer, and reset his passwords so hopefully he won`t get caught out again.

__________________
The Endangered Harpy Eagle : Versatile Tomatoes : Money Saving Ideas
Gardening Features : Manchester United Champions : Making the Internet a Safer Place for Kids

I was wondering how often you change your passwords or would suggest others to change their passwords?

What I've been wondering is if Roboform stores passwords, how secure is Roboform itself?