By now, most of you have probably heard about the recent discovery of hackers getting around 2 million userid's and passwords to online services like Facebook, Gmail, Yahoo, LinkedIn and Twitter. Notable on the list of sites is ADP, the payroll processor.
It's "just" 2 million sets of ID's and passwords. That's not really big news these days when the new record of over 152 million stolen passwords was recently set by the Adobe breach. But there is a difference here. For most of the big password breaches, the service provider's website or password store is hacked. Then the encrypted password file or database is downloaded. The attackers can take their time analyzing the encrypted data to come up with userid's and passwords. This work is made easier because so many sites use poorly implemented encryption. And some sites use no encryption at all.
But that's not what happened here.
This time the passwords were stolen from the users of the sites. That's you and me (well... hopefully not you or me!).
Usually it's most cost-effective for attackers to go to the source and steal a password file with hundreds of thousands, or millions, of passwords. There is work to decrypt this, but it's worth it to the bad guys because they will get so many account passwords. Usually it's less cost effective to try to infect a bunch of individual people's computers, then wait for the people to log in to some sites like Facebook or their bank, and collect and correlate the information. But that's exactly what happened here!
If you're interested in the gory details, Trustwave has a detailed account here.
Of course, the advice that we see coming out from this is to change your password (regularly) and to choose a stronger password. But, as usual, the advice misses the point. Let's looks at why.
For a "normal" incident, in which a site's password file is stolen, the single best defense you can have is to have a very long password. It can be all letters, but it should be long, perhaps 20-32 characters or more. It can be a series of words that are easy to remember. (of course, if you're using a password vault like I've been saying all along then you don't need to worry about memorizing passwords). The long password helps you because it makes it very difficult for the hacker to decrypt it unless the have the exact encryption keys, algorithm and method used to encrypt.
But in this case the attackers are infecting computers and stealing the passwords directly from you and me! So, the single best defense you can have is to protect your computer! A long password won't help as much. 2-factor authentication is also a good choice because the attacker would only get part of your password.
So, let's review the key things you need to do to protect yourself:
- Protect your PC - this means using anti-virus and anti-malware tools, setting your system for automatic updates of patches, and generally practicing good computer hygiene as I covered here.
- Careful clicking on links - clicking on malicious links is one of the key ways malware gets on your computer. Stop and think before clicking.
- Use long passwords - size matters! The longer the better. And remember, very long passwords that are all words, are great.
- Use a password vault.
- Use 2-factor authentication. Here's a great article from Lifehacker about this.
Do you know anyone effected by this latest password breach? What other good ideas do you have to protect ourselves online?