Kevin Skapinetz is Program Director for Product and Security Strategy at IBM.
For anyone using the Web today -- for everything from banking to social networks -- your email address is a crucial part of your online identity. Your inbox is much more than a treasure trove of personal emails, photos, and information you wouldn't want shared with the world, it is an actual gateway into your online identity. When you sign up for a site or service online, your email address is one critical piece of data, and your password is the other. If a cyber criminal gets their hands on both pieces, this individual can wreak havoc on an unsuspecting user.
So how does your password suddenly become public, visibly posted on the Internet for the world to see? It has become a sport now for attackers to steal as many user names and passwords from a Website as they can, and post them publicly. In the past six months alone, millions of email addresses and passwords have made their way to public sites.
Many Web users don't realize this danger and fail to take simple steps to protect themselves. Furthermore, Webmail and other online portals use dated techniques for storing passwords and allowing recovery, making for easy targets for attackers.
Why does this matter?
According to the 2012 IBM X-Force® Mid-Year Trend and Risk Report, data from recent breaches has shown that a high number of users on the Internet reuse passwords across multiple websites. Thus, when a random Website is compromised, the attackers often dump a list of all of the email addresses and passwords they can find. This is bad enough when the email address ends in Gmail.com, yahoo.com, or hotmail.com. What happens when that email address belongs to a .gov domain, or your own business?
How comfortable are you knowing that if an end user's email and password were leaked, there is a real possibility that it is the same password they use for corporate resources? You likely reuse passwords for different types of corporate and personal resources, too. Having multiple passwords is an advisable approach, but it can still cause grief if the password is not sufficiently complex or if it is stored.
What happens next?
Once your email address and password are posted publically, it is vulnerable to any determined individual that could use this information to try and log into your email account. Once someone finds a password that works, what they can do next depends on what is linked to that account. It may be as simple as reading your private emails and looking through photos, or using your account to spam others. On the costlier side, they can end up gaining control of your online banking, shopping accounts, or credit cards. They can learn where you live, who you bank with, and what you buy online, which is enough information for someone to commit identity fraud.
Forgot your password? Click here to reset
Most user-based Websites have some kind of password recovery mechanism. Often it's an emailed link to change your password. If an attacker has access to your email account already, this is a huge security risk. Think about all of the services associated with that email address: eCommerce, financial services and social networks.
Now that some malicious person has access to your account, they have the chance of costing you real money. Most of us have our credit card details on file with, for example, an eCommerce site, making it simple to purchase items. With some online services, an attacker could set up an additional bank to transfer funds to. Sure, the service may email you a warning that says someone has added a new account, but what good is this alert if your email account is already compromised and someone can simply delete that email?
So, what makes for a secure password?
Statistically, a 10-character password -- regardless of the number of special characters included -- is not as secure as a 30-character password comprised of random words.
As such, individuals should:
- Have multiple passwords for different sites, especially for personal accounts and enterprise systems.
- Use a passphrase (i.e. a combination of words or entire sentence), which is also much easier to remember than a random mix of letters, numbers and characters.
- For example, take the lyrics of "One Eyed One Horned Flying Purple People Eater;" shorten it by changing "one" to "1"; replace "purplepeopleeater" with "PPE"; and add a "!" at the end for added effect (and security). The final result, "1eyed1horendflyingPPE!" is 22 characters, and involves mixed uppercase and lowercase letters, numbers, and symbols.
- Use a password management tool to help remember passwords. While a variety of these are available, be sure that the tool supports a strong form of encryption and that your master password is a long passphrase.
- Answer security questions with false information. Consider the fact that any hacker could figure out the real answer to most security questions, such as your high school mascot or the city you were born in.
- Find an email provider that offers some form of two-factor authentication, such as sending an SMS code to your phone or a smartphone app that generates a six digit code required to login.
By following these simple steps to strengthen your password, you can help prevent your online identity from being compromised and avoid being one of the millions that fall victim to identity theft.