Tuesday, December 14, 2010

Take care of your passwords

It is actually good to hear the latest breach of Gawker.com database and the release of millions of user information including passwords. It is always good to remind everyone to change their passwords, especially easy ones. And here I'll explain why it's not a good idea to have easy passwords and will give you some tips to help you create strong passwords.

To begin with, I'll explain how a server stores user passwords in a database. Let's say a user goes to hotmail.com and creates a new email with the password "password". The server will most likely encrypt the password and stores it in a database. Let's say the encrypted password is "£K%Ggh", so this strange word will be stored next to his email address. The next time the guy wants to check his email, he'll enter his username and password and the server will encrypt the password again and checks the encrypted word with the one stored in the database. If they match, the server will allow him access to his email.
Let's say the same user creates a commenting account in Gawker.com and uses the same email and password. Gawker will use another encryption scheme to generate their own encrypted word and store it in their own database. Let's say Gawker's word is "G?juu&".
Now if a hacker gets access to Gawker's database and encryption scheme, he can guess easy passwords like "password", "qwerty", "123456" and he'll see the encrypted word for each of them and then he'll search the database for users who have that word as a password and get their associated emails. He then uses the same password on their email accounts (hotmail in our example) and most likely the hacker will gain access to the user's email. And the same thing can happen to Twitter and Facebook accounts as well.

That's what happened today. And to add insult to injury, Gawker hackers released the whole database on the Internet. Allowing everyone access to the database.

In this particular case, if the password is hard to guess, the user will be better protected. So if the password was "pa$$word" or "Passw0rD" it will be a lot harder to guess. I'll give recommendations for better passwords later.

So, what you can do to protect your online account and what lessons we learned from today's event?

First, change all your passwords immediately  even if you are not registered in Gawker or it's sister websites. Second, don't use the same password for different accounts. Third, use special characters in your passwords (other than letters and numbers). Forth, use an app on your mobile phone to store your passwords in case you forget them.

Finally, how to choose a good password:
-Add a mix of these symbols: ¥$€><~|\_.,?!'&£/-@
-Mix upper and lower case letters with numbers
-Replace letters with similar symbols: "password" can be "P@$$w0Rd"
-Intentionally misspell words
-Use a mix of birthdays, occasions, acrynoms, site names, symbols: "20!12!1978" "&face~book&"

Just be creative with your password to prevent anyone from gaining access to your personal information. And good luck out there.