The Internet is abuzz with the recent breach of some high-profile website and the subsequent leak of user passwords. LinkedIn, Last.fm and dating site eHarmony all confirmed security breaches and the leak of user accounts. The companies and services, since the breach, have already taken steps to strengthen the security of their user database. The websites have already learnt their lesson the hard way. We as users have also many things to learn from these incidents.
I’ve always put emphasis on using a strong password. But with the recent breaches, it’s now clear that password strength alone doesn’t protects it from being stolen. Yes, password strength can help to some degree if someone is trying to break into “your account only.”
What if a hacker manages to get his hands on the user database of a service? Well, then your account is only secure if they follow good security practices to protect the passwords by not only hashing them but also protecting the password hashes using “salt,” an extra layer of password encryption.
If “salt” is used the same password, such as, “pass1234” will have different hashes. After the leak of the user passwords of LinkedIn, it has been found that they didn’t apply salt to their hashes. Neither does eHarmony, and they apparently used an even weaker algorithm for hashing the passwords.
You may now ask yourself, what the cyber-crooks will do with these large number of passwords, since almost all of them may have been changed by the user? For hackers, one of the most potential use of this huge database is to update their “rainbow tables“. Rainbow tables are vast databases with pre-calculated hashes and the passwords from which they were calculated. Rainbow tables serve as a key for cracking encrypted passwords, called “hashes.”
Another use of this leaked user database is to use an automated software to try the email and password combination on other websites, to see if they can get into people’s financial or social media accounts. That’s an important point to remember if you use the same password for different accounts.
That’s exactly, what I want to emphasize to you all through this article. We can’t control how websites protect our accounts in their databases but we can reduce the aftermath of a large-scale security breach.
Use a very strong password
Yes, I know I told you earlier here, it will not help if the website is hacked. But it does protects you from hack attacks to your lone account. If you don’t use a strong password your account may get compromised.
Never use the same password for different account
If you’ve the bad habit of using the same password for maintaining your different website accounts, you’re in grave danger. I’ve already discussed earlier how hackers will use the hacked database to try to log into different websites. They will most probably target your social accounts, email accounts and financial accounts. So, if you have this bad habit, change it. Use unique passwords for different accounts.
I know you’ll argue, how then you’re supposed to remember all these different passwords? Well, the answer is simple, use a good password manager like 1Password, LastPass, KeePass or Dashlane. These password managers makes your life simple while keeping your account details safe. They also come with strong password generators. You can use it to generate unique passwords for each account and save them automatically in the manager.
Be little less truthful while answering security questions
One of the weak point of your account security is the answer you’ve set for your security question. Most websites while resetting your account password asks you to answer this security question to process your request. Most individual accounts are hacked using this weak point. With the advent of social networking, it’s now easy to gather information about your personal and professional life. A cyber-crook can use this information to create a profile and guess the answer of the security question. They then can fool the website and hijack your account.
So, be little less truthful while answering the security questions. For example, you can name your second car instead of your first.
Look before you click on that official-looking account reset email
And be extra cautious of strange e-mails, particularly emails with attachments and external links. These emails usually looks like an official email that sends you to an official-looking website with instructions on how to reset your account. Remember, the correct way to reset your password is to go directly to the LinkedIn, Last.fm or eHarmony site.
Fake “phishing” messages will likely be on the rise after these security breaches. Don’t be fooled by these phishing emails.
What should you do, if your favorite website gets hacked?
If your favorite website gets hacked, of which you’re a member too, the first thing you should do is reset your password for that website. If possible, also change the email address associated with your account. Monitor your email, the official blog of the website, their Twitter or Facebook account for updates on the situation.
What are your thoughts about the recent events? Which steps do you follow to protect your online accounts? Share with us your tips and thoughts below, using the comment form.
Image Source: XKCD