Taking Password Security Seriously

login_graphic

The Situation

It’s been a bad year for passwords. LinkedIn, eHarmony, Home Depot, Last.fm, Yahoo (the list goes on and on), have all been hacked to one degree or another and had the password hashes of many tens of millions of users uploaded to various hacking forums for all to see.

In a perfect world this wouldn’t be too much of a concern as password hashes are supposed to be very, very tough to crack. The latest password hashing algorithms are designed so that cracking a given password hash would require legions of computers toiling away for months, years, or even centuries. Unfortunately not all password hashing algorithms are created equal. Many of the older algorithms have inherent weaknesses that have been exploited by clever hackers or simply overcome by sheer computational brute force.

What We’ve Done

Here at SocketLabs we take email password security very seriously. To that end, we’ve ensured that our systems use the best hashing algorithms currently available. Our systems have also been designed to enable us to quickly upgrade to newer/better hashing algorithms as they become available. As with anything security related, vigilance is mandatory, which is why we continually monitor all activity on our systems to ensure any suspicious activity is immediately identified and dealt with appropriately.

What You Can Do (And Should Do)

Using good password hashing algorithms only protects insofar as it makes it very difficult for a hacker to use an automated system to reverse engineer your original password. The best hashing algorithms on earth can’t protect you, however, if you happen to use an easy-to-guess password. Using “password”, “123456”, “abc123”, etc. is like begging someone to come and access your account. With that in mind, the following simple tips can help you create a secure email password and dramatically increase the security of your online accounts.

  • Don’t use biographical details to build a password. Using the name of your hometown, your spouse’s name, your birthday, etc. for your password is akin to writing the combination to your safe on the front door of your house. It might be a very convenient way to remember it, but it also makes it very easy for others to figure out. Biographical details are some of the easiest pieces of information to discover in this day and age of ubiquitous internet access.
  • Use unique passwords. All the latest password hashing algorithms in the world are useless if you use the same password for everything. In that situation, all it takes is one site with an exploitable security weakness to get hacked and the hackers effectively have access to ALL your online accounts.
  • Use longer and more uncommon passwords that include numbers, special characters, and upper and lower case letters. The longer and more uncommon the password, the harder it is to crack using brute force methods. Passwords become exponentially harder to crack the longer they are. Consider using a sentence with uncommon spellings for all of the words.
  • Change your passwords often, at least 3 or 4 times a year (though every 30 days is better).
  • Consider using a password manager like LastPass, KeePass, or 1Password. This enables you to have unique, difficult-to-guess passwords for all your online accounts while making remembering them infinitely easier. Having to remember your passwords is one of the primary reasons people make the mistake of choosing easy-to-guess passwords or using the same password for multiple sites. Most of the better password managers can also generate long random passwords for you, making your information even more secure.

Conclusion

Robust and successful email password security requires both us, and you, to each do our part. We must be diligent in our vigilance and awareness, avoiding apathy. Together, we are the two sides of the equation, a partnership for security. It is that partnership that brings about successful password security.