Another data breach; log in credentials for 2 million accounts have been stolen. Time to change your passwords?
The massive data breach was a result of keylogging software maliciously installed on an untold number of computers around the world, researchers at cybersecurity firm Trustwave said. The virus was capturing log-in credentials for key websites over the past month and sending those usernames and passwords to a server controlled by the hackers.
It is important to note the difference between this “breach” and a typical security breach. A hacker did not gain access to Facebook, Twitter, or Gmail and steal any password data this time. Malicious keylogging software found its way on user’s computers and recorded the keystrokes they entered when accessing their accounts. This means two things:
- Just because you don’t use Facebook et al doesn’t mean you are safe. If the keylogging software is on your machine, it has logged (and is currently logging) your username and password on any site you are accessing.
- Simply changing your password is not a solution to this problem. You need to first remove the keylogging program, only then, is changing your password an effective precaution to future breaches. Our IT department vouches for Vipre Antivirus to help keep things squeaky clean, but any good up-to-date software should do the trick since this breach has been made public.
I have been pondering password security for the last few months. I even wrote a blog post about it recently. Here are some rules of thumb I have discovered in regard to password management:
- Your password cannot be too long, it is probably too short.
- Don’t use the same password for multiple accounts. Take particular care ensuring no “important” sites share passwords with non-important sites like one-of retail stores or forums.
- If you can remember and comfortably enter your password without having to look it up, you should change it to one you cannot remember.
The third rule might seem silly but it isn’t. Of course there are exceptions to the third rule. I don’t doubt that a person could remember the password 6QMZIcwEsLKa6L95, which is moderately secure (still too short if you ask me). But, generally speaking, a password you can remember is probably really easy for cracker to solve. Long secure passwords still take way too long to break even with current cracking technology, and you would never enter the password manually so being keylogged isn’t a concern. You just need to have a password management system to keep everything organized like KeePass or LastPass.
This goes without saying, but if your frequently used sites offer two-factor authentication, take advantage of it. Here is a list of popular sites that offer that service.