Hacked Passwords and Password Protection

Hackers and identity thieves are increasingly focused on mobile computing. With so many smartphones and tablets now in use, mobile is increasingly becoming how consumers use the web.

Criminals also like the fact that many mobile devices have little or no security protection – not on the device itself and not on the data that is stored in the cloud.

Mobile data can be stored both places and security experts say both need strong protection. Chris Rancourt, an editor at NextAdvisor.com, says consumers who use an online backup service to store and share their data in the cloud need to be especially careful.

“When you put your information on the cloud, you get this extra level of security with their encryption,” Rancourt said. “Most services now use encryption but some are stronger than others.”

Increasingly popular

Cloud storage and backup services have become increasingly popular. They store data off-site, protecting it from a catastrophic computer crash or other physical damage. They also make it accessible from other computers in other locations.

“Pretty much any information you can upload to the cloud – pictures, documents, videos. And all that information can be encrypted and stored safely inside your cloud or online back-up service,” Rancourt said. “The backup services that we use provide coverage for Apple, Android – pretty much the whole spectrum.”

Rancourt suggests picking a backup service with very robust encryption. One service that falls into that category, he says, is SpiderOak. There is one security feature, in particular, that he likes.

'Zero-knowledge' security

“They have this policy where no one in their company will know your password,” he said. “If you lose your password they can't go in and retrieve it for you. It's really up to you, which makes the security a lot stronger, but at the same time you have to be responsible for your own stuff.”

Absent-minded consumers can run the risk of losing everything if they forget or lose their password. Writing it down in several secure places, however, might be all the insurance policy you need.

Sugarsync is another secure backup service. With Sugarsync, you can safely store important files and then sync them across an unlimited number of computers. If the data is updated on one computer, it's also updated on the rest.

Mozy is a low-cost cloud storage service. The company's backup plans start with one computer per subscription, but it can sync up with other computers that aren't part of the plan.

First line of defense

The best feature of these companies' backup services may be the sophisticated encryption. Rancourt says it provides a great first line of defense.

“For companies like SpyderOak you actually have to have an encryption key in order to decode the information and read it as something legible,” he said. “Most services have something like that as well.”

But hackers are resourceful individuals. Suppose they get access to your cloud and your encrypted information by stealing or finding your lost device. It might look like gibberish at first, but given a few hours, it's just possible some hackers might be able to crack the encryption. That's why you need a second level of defense – remote wipe.

If your device is lost or stolen, remote wipe will still give you access to all your files and documents from another computer but allow you to block access on the missing device. You can even delete files.

“Let's say you keep all your bank information on your cloud,” Rancourt said. “Someone can actually hack in there and steal your identity.”

It should go without saying that you should have robust security features on your hardware as well. Getting a strong mobile security package for your smartphone or tablet will reduce the risks from lost or stolen devices.  

News that over 1,000 accounts at online ticket-seller StubHub have been hacked should serve to remind you of this important online safety rule: don't use the same password across multiple accounts.

The Associated Press first reported on Tuesday that “cyber thieves” managed to fraudulently access more than 1,000 StubHub accounts, and buy themselves tickets in the legitimate accountholders' names.

As hacks go, a mere thousand compromised accounts in a company as large as StubHub sounds like pretty small potatoes. Why was the damage so limited?

According to StubHub spokesman Glenn Lehrman, the thieves never broke into the StubHub customer database. Instead, they got customers' login and password information from other sources, either hacking into different retail databases or even putting keylogging software or other forms of malware on user's computer.

The thieves presumably know how commonplace is it for people to use the same passwords (and sometimes even login names) across multiple accounts, so if thieves have, for example, the password you use for your email, bank account, favorite web-discussion forum or any other password-protected thing you do, they'll also try plugging that password into your other accounts on the off-chance it will work. Where over 1,000 StubHub customers are concerned, it did.

If you get an email from LinkedIn saying you need to reset your password, it's real. The social networking site has reported a data breach in which an undisclosed number of passwords were compromised.

"Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid," Vincente Silveira, a LinkedIn director, wrote on the company's blog. "These members will also receive an email from LinkedIn with instructions on how to reset their passwords."

Silveira stresses there will not be any links contained in the email that informs you that you must reset your password. However, once you follow the initial step request password assistance, then you will receive an email from LinkedIn with a password reset link.

Regardless of whether you receive an email, it would be prudent to immediately change the password on your LinkedIn account.

"It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases," Silveira wrote.

A ConsumerAffairs sentiment analysis of about 2.5 million comments posted to social media finds that the news knocking LinkedIn from an overall approval rating of close to 80% to a 24% negative rating.

 While the hack attack wasn't the only negative to emerge in the analysis, it was by far the largest, as shown in this chart:

How it happened

Silveira did not say how the data breach occurred, only that an investigation was underway. Chester Wisniewski, Senior Security Advisor at Sophos Canada, wrote in his blog that it is imperative that LinkedIn also determine whether email addresses, often a user name, were also compromised. LinkedIn has more than 161 million members who use the site to expand their business and professional contacts.

About 6.5 million passwords have been posted online and the company says some of them do appear to be LinkedIn passwords.  Others appear to be passwords for eHarmoney accounts, security experts say. 

EHarmoney said a "small fraction" of its member passwords had been compromised and that it is investigating. Meanwhile, it said affected passwords have been reset.

With each passing year your computer becomes less secure. Hackers become more sophisticated and your PC or mobile device becomes more vulnerable.

In the early days of the Internet consumers used simple, easy to remember passwords. Most us still do. SpashData, a provider of password management applications, issues an annual list of what it considers the worst, most insecure passwords that consumers use.

Newcomers

New entries on this year's list include "welcome," "jesus," "ninja," "mustang," and "password1," while the top three remain the same from last year's list -- the terribly unimaginative "password," "123456" and "12345678."

With Halloween now upon us, SpashData is urging consumers to beef up their password security.

"At this time of year, people enjoy focusing on scary costumes, movies and decorations, but those who have been through it can tell you how terrifying it is to have your identity stolen because of a hacked password,” said Morgan Slain, SplashData CEO. “We're hoping that with more publicity about how risky it is to use weak passwords, more people will start taking simple steps to protect themselves by using stronger passwords and using different passwords for different websites."

The list

According to SplashData, here are the Worst Passwords of 2012:

1. password
2. 123456
3. 12345678
4. abc123
5. qwerty
6. monkey
7. letmein
8. dragon
9. 111111
10. baseball
11. iloveyou
12. trustno1
13. 1234567
14. sunshine
15. master
16. 123123
17. welcome
18. shadow
19. ashley
20. football
21. jesus
22. michael
23. ninja
24. mustang
25. password1

The list was compiled from files containing millions of stolen passwords posted online by hackers. The company advises consumers or businesses using any of the passwords on the list to change them immediately.

“Even though each year hacking tools get more sophisticated, thieves still tend to prefer easy targets,” Slain said. “Just a little bit more effort in choosing better passwords will go a long way toward making you safer online.”

What makes a password strong and secure? Use passwords of eight characters or more with mixed types of characters. One way to create longer, more secure passwords that are easy to remember is to use short words with spaces or other characters separating them. For example, “eat cake at 8!” or “car_park_city?”

You should also avoid using the same username/password combination for multiple websites. Especially risky is using the same password for entertainment sites that you do for online email, social networking, and financial services. Use different passwords for each new website or service you sign up for.

Bad news: if you're reading this, there's a very good chance you need to change your password because a 20-something computer hacker in Russia already knows it.

Of course, you've already read countless variations of that story: “Hackers break into database. If your information was on it, you must protect yourself.”

So when you hear about the hack attack du jour, you immediately want to know the specifics: which one of my passwords am I supposed to change this time? Which company or organization got its database hacked? What was the time frame?

And you expect an answer along these lines: “If you made any credit- or debit-card purchases at an XYZ store, or online at XYZstore.com, between January 13 and February 10, your information is at risk.” That also implies a comforting corollary: “If you've never shopped at XYZ, or at least didn't shop there between those two listed dates, you have nothing to worry about.”

Unfortunately, such information is not available for this latest hacking. Even if it were available, it would be too much to summarize here in a single news article, because it's not just one company or website that's been attacked; it's at least 420,000 different websites ranging from obscure little sites to major household-name companies.

Largest known collection

The New York Times reported yesterday that researchers from Hold Security discovered a Russian cyber-criminal gang had “the largest known collection of stolen Internet credentials, including 1.2 billion [unique] user name and password combinations and more than 500 million email addresses …. [and] confidential material gathered from 420,000 websites, including household names, and small Internet sites.”

Hold Security wouldn't release the names of any affected companies or sites, due to non-disclosure agreements and also a desire to avoid identifying companies whose sites remain vulnerable. Therefore, there's no way for ordinary computer-users like you to know which of your passwords were compromised, if any.

Thus far there's no evidence that the Russian hackers have been using stolen passwords to open false credit card accounts or commit other forms of identity theft; the hackers are primarily using this information to send spam to various social media accounts.

Whether you need to change your passwords or not, this latest hacker discovery serves as another reminder of this important online-security rule: don't use the same password across multiple sites.

Last month, for example, the online ticket-seller StubHub had over 1,000 customer accounts hacked into, yet the hackers never actually managed to breach the StubHub database.

Instead, they hacked into various other databases, or even installed malware on individual computers, in order to steal people's passwords from one account – email, online banking, social media sites, even small online discussion forums – and then test those stolen passwords to see if they'd work in customers' other accounts. And in the case of over 1,000 StubHub customers, it did.

Still: a thousand customers of a ticket-resale site is extremely small potatoes compared to 1.2 billion people. Consider: it's estimated that, as of 2014, there are 2.9 billion Internet users on the entire planet Earth. And of those 2.9 billion Earthling web-surfers, over 40% have their passwords in the hands of a small Russian hacker-ring.

Security experts have long advised that every account should have a unique password. But who can remember all those different passwords – much less remember which accounts they are for?

One option for consumers who want to beef up their online security is to employ a “password manager” software. They all work in different ways but what they have in common is you don't have to remember all those passwords – the program does it for you.

LastPass

One of the most popular of these apps is LastPass, which promotes itself by saying you only have to remember one password – the one to get into the LastPass system. The software integrates with the major browsers – Explorer, Safari, Chrome and Firefox.

Since you are no longer required to remember your passwords, they can be as complicated as you want. Instead of using the name of your dog or youngest child, one of your passwords can look something like this: 8rZ!k4g9”3$.

To test the strength of your password, run the software's “Security Check.” It identifies any weak or duplicate passwords, tells you if any sites were affected by Heartbleed, and gives you an overall “security score” so you can understand how you’re progressing with your password security.

Multifactor authentication provides another layer of security by requiring that you confirm “something you have” – like a Google Authenticator code -- after submitting “something you know” --your LastPass email address and master password. LastPass supports 10 multifactor authentication options, giving you the flexibility to choose one that suits your work flow best.

LastPass is free, with ads, but also offers an ad-free premium version for $12.

1Password

1Password is another password manager that runs on Windows, Mac OS X, iOS and Android. It provides a place for consumers to store their various passwords, licenses for software and other vital information is what amounts to a virtual vault. It requires one master password to get in.

You only have to install 1Password on one device. It can sync to all your other devices using Dropbox. Once you complete the sync process, you'll be able to open the password vault on any device.

Like LastPass, 1Password also offers a password generator. It also provides a way to store a master password hint, in case you forget your master password.

iVault

iVault is a password manager for both mobile and desktop devices. The company says it protects all your private information in a secured online electronic vault.

The online web editor runs only on your browser so no unencrypted data goes through the Internet. It's designed for faster, smoother editing and updating. After a simple restore, your vault is updated directly on your smartphone.

Why do you need a password manager? Because almost all of us are using passwords that just aren't strong enough to stand up to the increasingly sophisticated methods even an average hacker employs. If you need convincing, try one of your passwords – or one similar to one of your real passwords – at the testing site, How Secure Is My Password?

Encryption experts say we all tend to be a bit predictable in the way we construct our passwords. Using a password generator probably won't make you bulletproof, but you'll be a lot more secure than you are now.

That said: if you have a Gmail account and worry the hacking might affect you, you probably have nothing to fear — provided your Gmail account has an exclusive password you don't use anywhere else. On the other hand, if you use the same password across multiple accounts, that's when you need to worry — and remind yourself of the well-known online safety rule “Never use the same password across multiple accounts.”

Here's a summary of the major points known so far: first of all, it appears that Gmail itself was not hacked — the hackers never actually gained access to the Gmail database and information therein.

Discussion forums

Instead, this appears more like the StubHub “hacking” discovered last July: identity thieves gained fraudulent access to over 1,000 StubHub accounts, without ever breaking into the StubHub database. The hackers had broken into and stolen passwords from various other websites, discussion forums and password-protected online places, and discovered that at least some of those stolen passwords worked in the victims' StubHub accounts, too.

It does appear that when hackers successfully steal the password to one of your accounts, they'll try plugging that password into your other accounts on the off-chance it will work. Where over 1,000 StubHub customers last summer were concerned, it did. And it might have worked for upwards of 5 million Gmail accounts, too.

Or maybe not. What actually happened? On Tuesday evening, someone in a Russian Bitcoin forum posted a list of 5 million stolen Gmail-connected passwords. The passwords apparently came not from Gmail itself, but from various registration-required sites where people used a Gmail account to register. The Western media discovered and reported that list late in the afternoon of Wednesday, Sept. 10.

Can't confirm

But there was something strange about those passwords: most of them were useless from an ID thief's perspective, because they were too old and out-of-date.

Mashable.com reported late Wednesday evening that “We can't confirm the authenticity of all the email addresses on the list, but a Mashable employee, Evan Engel, saw that his old Gmail password, which he hasn't used in years, is part of the leak.”

Engel and Mashable weren't the only ones to find outdated information on the list; plenty of people on Twitter did too. For example, Ben Ten @Ben0xA tweeted “That gmail dump looks very old folks. Can confirm a dummy account w/ password that was already changed twice. Dump has original pw.”

Here's how the hack apparently worked. Suppose that, many years ago, your Gmail password was 12345 (which, by the way, is a very weak password choice that you should never use in real life). Then you used that Gmail account to register with – well, any website requiring an email address to register: posting comments on your local newspaper's online stories, joining a discussion forum about your favorite hobby or musician, whatever.

And suppose further that when you used your Gmail address to register with that website, you ignored or did not know the “Never use the same password across multiple accounts” rule, so you used your Gmail address to register with DiscussionForum.com, using the password 12345 for both.

But over the years since then, you've had to change either your Gmail password, your DiscussionForum.com password, or maybe both.

Presumably, the hackers at some point managed to break into the DiscussionForum.com database and stole your name, Gmail address and your old 12345 forum password. They did not actually steal your Gmail password — unless you were foolish enough to use your DiscussionForum.com password as your Gmail password too.

So why did the hackers in that Russian Bitcoin forum bother stealing and posting these antique passwords anyway? Probably to show off and gain status among their fellow hackers. A senior advisor for the online security firm Sophos told Mashable that he doubted many of the posted accounts would still be valid: “There is no honor among thieves as they say, and often stunts like this are released as a sad attempt at gaining credibility among other criminals.”

No one has yet managed to get the goods on every living human but the hackers who made their way into JPMorgan Chase over the summer made a good start. The bank says about 76 million households -- two-thirds of the U.S. total -- could be affected.

The hackers got log-in information, names, emails and addresses but supposedly did not get such vital information as Social Security numbers, passwords and account numbers. 

The breach was first disclosed in August but the scope is just becoming clear as federal law enforcements agencies continue to investigate.

Chase says it hasn't seen an unusual amount of fraud and insists that customers' money is safe. In a statement, it noted that customers will not be liable for unauthorized transactions as long as they notify the bank when they're discovered. It's not necessary to change passwords, the bank said.

They're sorry

"We are very sorry that this happened and for any uncertainty this may cause you," the bank said in a statement to customers. "As always, we recommend you use care with your accounts and information," advice critics might say Chase should heed more rigorously.

The biggest threat now is phishing attacks in which criminals may try to get Chase customers to turn over the information that wasn't stolen so it can be combined with the information that was -- especially passwords and account numbers.

JPMorgan has about 65 million customers but potential damage is not limited to the bank's customers. Non-customers who used ATM machines or conducted other transactions through Chase.com and JPMorgan.com could also be affected.

With mid-term elections looking, Congress is likely to react to the incursion. Sen. Ed Markey (D-Mass.) was among the first to issue a thundering denunciation.

“The data breach at JPMorgan Chase is yet another example of how Americans’ most sensitive personal information is in danger,” Markey said, calling for legislation that would protect against such attacks, which are already illegal under numerous federal, state and local laws.

The good news is that, despite initial reports claiming otherwise, Dropbox was not hacked.

The bad news is that apparently, up to 7 million individual Dropbox customers were. Why? Because those 7 million Dropbox users ignored (or simply didn't know) the important online safety rule “Never use the same password across multiple accounts.”

Yesterday, Anton Mityagin writing on the official Dropbox Blog announced that:

Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox.

StubHub redux

It's basically a much larger-scale version of the StubHub non-hacking from last July: over a thousand StubHub accounts were compromised and used to fraudulently buy tickets, though StubHub's own database was never breached. The hackers had broken into and stolen passwords from various other websites, discussion forums and password-protected online places, and discovered that at least some of those stolen passwords worked in the victims' StubHub accounts, too.

It does appear that when hackers successfully steal the password to one of your accounts, they'll try plugging that password into your other accounts on the off-chance it will work. Where over 1,000 StubHub customers last summer were concerned, it did. And it may have worked for up to 7 million Dropbox customers as well.

Something similar happened with Gmail last month: initial reports said that Russian hackers had stolen 5 million Gmail passwords, though it turned out that the passwords were stolen not from Gmail itself, but from various registration-required sites where people used a Gmail account to register.

So the Dropbox “hacking” appears similar to that earlier “hackings” of Gmail and StubHub: the only Dropbox users who need worry about it are those who still follow the dangerous habit of using the same password across multiple online accounts.

If you have two or more online accounts with the same password, even if none of those accounts are with Dropbox, you need to change the password for every such account you have.

If you use the LastPass password manager to store your online passwords, be warned: yesterday, in a “Security Notice” posted on the LastPass corporate blog, company CEO Joe Siegrist admitted that hackers managed to breach security, compromising the email addresses and certain security features attached to customers' accounts.

Siegrist said that the actual passwords stored in the LastPass database were not accessed by the hackers, but customers should change their LastPass master password just in case.

We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised. … we are taking additional measures to ensure that your data remains secure. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.

LastPass went on to say it will be sending emails to all of its users about the incident.

Anytime such a mass security breach is announced, you can safely bet that scammers will try taking advantage of it, so be warned: if you do receive an email, apparently from LastPass, urging you to change your master password or anything else involving your LastPass account, do not click on any links, or open or download any file attachments, in that email. (This anti-malware rule applies not only to LastPass, but also pretty much any email from any business or organization you can think of: never click a link or download a file in an unsolicited message.)

Instead, when you change your LastPass master password, go directly to the LastPass website, and log in. On the left side of the page, you should see a sidebar offering various menu options. Choose “Account Settings,” then “Login Credentials,” and finally “Change Master Password.”

You should get a Password Reset form, where you'll have to type your current master password. Then type in your new password, and type it again for confirmation. You'll also be asked to type a password reminder, in case you forget your new one.

Siegrist's security notice ended by asking and answering the frequently asked question:

Do I need to change my master password right now? LastPass user accounts are locked down. You can only access your account from a trusted IP address or device – otherwise, verification is requested. We are confident that you are safe on your LastPass account regardless. If you’ve used a weak, dictionary-based master password (eg: robert1, mustang, 123456799, password1!), or if you used your master password as the password for other websites you need to update it.

Again, that bit of advice applies not just to LastPass, but any important password-protected account: never use the same password across multiple accounts, to minimize the damage a hacker can do after stealing the password to one.

How vulnerable is your computer to hackers? The first line of defense is your password, but surveys consistently show that consumers are making it easy for hackers.

For starters, they tend to show a lack of imagination when choosing a password. For example, ABC123 is one of the more common passwords in use.

Computer users also tend to use the same password for all their accounts. Once a hacker figures out the password to one account, they usually can find their way into the rest of your accounts.

Security experts say the best passwords are comprised of a random series of letters and numbers, something almost impossible for a hacker to crack. Sometime like YBN6FZ, for example.

But how in the world would you remember such a combination? You wouldn't, of course, unless the combination makes sense on some level, unknown to anyone else.

In this video, Graham Cluley, senior technology consultant at Sophos Security Software, explains how it can be done.