In security news last week, it was reported that Twitter (and other sites like ABC news) were the victims of hackers. Twitter announced that 250 thousand of its users accounts may have been compromised and the hacks are thought to have originated in China (Wow, Surprise, Feigns Dramatic, Over the Top, and Shocked Look).
What does China’s attack on Twitter Mean to You?
Nothing really, unless you are one of the ones that was hacked. There is nothing that you can do about it. Twitter has reset the passwords of the affected users, sent “oh shit” emails, and the world has gone back to burying its head in the sand until the next security breach happens.
This does not mean that you cannot at least be a little proactive.
Facts are facts. Although there is nothing that you can do about a truly sophisticated hack, you can at least make the game as difficult as possible for your adversary.
Let’s look at passwords:
According to “HowSecureisMyPassword.net”, here are some average times it would take a household PC to crack the following passwords (notice the building changes as we go along):
Password – juju
- Would be cracked instantly
Password – jujubeans (added beans)
- Would be cracked in 22 minutes
Jujubeans (added a capital letter)
- Would be cracked in 8 days
Jujubeans2013 (added numbers)
- Would be cracked in a MILLION Years (I am guessing shorter)
Jujubeans2013! (added a symbol)
- Would be cracked in a BILLION Years
Now, this is just the average PC doing the password hunting here. I am sure that if you put a bank of computers with sophisticated software with nothing else to do but hunt YOU, they would probably get the job done in a lot less time…. But they won’t because software is not stupid and it has a job to do and part of that job is giving up after a given span of time because there are plenty of morons out there with the password “password”.
That is who most hackers are hunting. They are hunting easy targets.
If they REALLY want to get you… make the bastards work for it and use a combination of capital and lower case letters, symbols, and numbers.
So, how can you handle this and create a password that you will remember?
That is actually the easy part. If you want to go it alone, create a system.
- Take our Billion years to crack “Jujubeans2013!”.
- Add the first two letters of the website you are logging into and add them to the end.
- This creates a unique password for every site and adds to the “time to crack”.
Here is Facebook for example:
- Jujubeans2013fa
This freaking thing would take the average desktop PC 12 TRILLION years to bust. Even if you had an amazing computer that could do it in a million years…. Who gives a crap. That is a million years from now and after 100 years, will you really care anyway. I doubt it because your heirs will be dealing with the mess.
The above system is great until someone figures it out but there are other ways.
Password Managers – A Better Way
There area million and one password managers out there (I use Roboform) that will do the remembering for you. I have one master password that opens Roboform and then it does all of the website logging in for me allowing truly awesome passwords like #$ J:KJHGDHFIV opjfjijvijbnigoiergaeijgaij39398593-85q1, which will never ever, ever, ever, be cracked (I hope).
Some password managers include:
I guess my word of warning is this. I really do not care if you are an idiot and get all of your online accounts hacked. I do care when it affects me, my events, my clients, my colleagues, my friends, my attendees, and you WILL affect us if you are stupid.
By allowing your sorry ass to get hacked, you have now given a hacker or their program access to more of a website than they had on the outside looking in. Now they are in and can start to probe for weaknesses which might let them all the way in and now they not only have your information, they are a step closer to having our information.
And you caused it…… Thanks for being lazy Sparky.
Just a note for Event and Conference Website Operators
There are plenty of ways for hackers to exploit websites on the back end, through plug-ins, and more. We can at least stop attendees and staff from making the job easy.
- STOP ALLOWING THE CREATION OF STUPID PASSWORDS BY ATTENDEES AND STAFF
You have the power. You can make them create passwords that contain the items that you want. Stop allowing passwords like “fido” or “johnsmith”.
I just did a new install today and the system makes the user use 10 characters, capital and lower case letters, a symbol, and one number…. Oh, and it also makes them change it once every 60 days… and just to be safe, if I even get the slightest bit wiggy that something is going on…… I can hit the panic button and force everyone to change their password at a moment’s notice.
I want everyone to see something. This is last night’s activity log from a website that PlannerWire manages.
This is some idiot or some software program trying to hack / guess their way into the admin side of this event website. They are trying passwords like admin, admin123, test, Password, and on and on and on, and if it is software, it might just keep banging away until the system stops them, the program times out, or they get in…..
This is happening to websites 24/7/365, even little event websites like the one in the activity log.
The boogeyman is here, they are knocking, and it takes a village to keep the everyone safe. If we all do our part hackers won’t stop hacking but they may move on down the road to an easier target.
Image: Brian Klug