Yes, You really do need a good password

Mark Kellner, a technology reporter at the Washington Times, bravely owns up to using crappy passwords.   Most users think they have nothing to hide and nothing of value.   “Who would possibly be interested in me” they ask.   So “why”, they ask, “should I bother with a good password.”

Kellner’s Gmail account was compromised by an IP address in China.  While Kellner could have been targeted as a journalist, those with political motives would have had to have been rather clever to cover their trail by sending out spam from the mailbox.  Even if your mailbox doesn’t contain a lot of your online passwords or have contact info for important people, a regular mailbox can still be used as a trusted platform from which to spam or con people out of money in your name.

Kellner admits to using a simple one word password.  Even in the dark ages when I got my Yahoo mail account, the default/provided password combined two words and appended two numbers.

The lesson for normal people who don’t read infosec blogs is even if you think no one would ever target you, you are at risk and need to use password common sense.  

At best-
Dont reuse passwords on online accounts
change them every 3-6 months
Don’t use dictionary words, common names or sports teams. 
Letters Numbers Special Characters.
If someone emails you your password during an account set up or password reset, you need to change the password.

At a minimum
Dont reuse passwords on important accounts
Dont leave a copy of your passwords in your mailbox. 
There are many memorable ways to make a password.   A single word doesn’t cut it.

The author is a Mac guy.  He ran anti-mailware on the computer anyway.  So it is likely this wasn’t a password stolen from his computer.

7 Comments

  1. “Dont leave a copy of your passwords in your mailbox.” – once somebody owned your email account, it is pretty much game over because most (all?) of the sites implement password recovery based on email. And it is much more likely that the attacker has some kind of site bruteforcer (one could build something like this by searching for the email address – the search should return the “profile” pages from sites where the user is member – and then go to each site and use the reset password functionality).

  2. Pingback: Roger's Information Security Blog » Blog Archive » Thanks for Nothing Google

  3. Why do you assume that it was a weak password that caused the breach? Doesn’t gmail have a lockout that limits brute-froce attempts?

  4. In many corporate environments I’ve run into users who complain about the need for passwords. After I ask a few question about the sensitivity of the information they use to do their jobs they readily admit to the need for passwords to control access to their data! Of course, the next battle is to explain why their passwords have to be strong and changed at a regular basis. I agree that changing your password every 3-6 months is often enough, even in a corporate environment.

  5. I used to store all my passwords in a folder in my mailbox. I recently changed that practice. I have found that a good password practice is to use a system, instead of trying to memorize several random passwords. For example, for my network password at my day job, I change it every 90 days. I go through a cycle of patterns on my keyboard. As long as I can remember the pattern, and where I am at in that pattern for this period, I can get in. This way, my password is totally separate from any of my personal information.

Comments are closed.