There are at least four ways that hackers can get your passwords:
I'm going to run through all of this quickly, with links to more technical information. From recent incidents at GeoCities, it's clear that I need to get this info online now, rather than fret about perfecting this page:
- They intercept your email when your password is sent to you.
- They use a password cracker to learn your password.
- They use "web spoofing" to see everything you say online, including your passwords.
- They use Java applets to access your hard drive if you keep passwords there.
1. They intercept your email when your password is sent to you.It's not that difficult to intercept email. I'm not going to cover the "how it's done" here, just take my word for it. (I'll try to make time for the how-to info, later.)2. They use a password cracker to learn your password.
If you receive an email with your password in it, change your password immediately. Since early January 97, our family has been receiving unsolicited letters from GC lately, "reminding" us of our passwords. We know what's going on. We try to change our passwords at least daily. Whether or not you're getting this kind of unsolicited email, it's a good idea to change your passwords frequently.
To protect the rest of your mail, PGP is free and it's a very good idea for email that you want to remain private. But most web servers and web masters don't use PGP to send password "reminders." Sorry.There are two main kinds of password crackers available today: There's the old-fashioned kind, which is what you saw in the movie, "War Games," that slowly checks every password possible from the entrance to the site. The problem with those is that many services note when someone makes too many errors in entering critical access data, and they shut down the site. The newer crackers go into the program you're working, and find the passwords from the inside. The problem with these is that you have to get the cracker into the site, undetected. And you've got to be using a competent program. And know that it's going to get in and out without setting off alarms or leaving a trail straight to you.3. They use "web spoofing" to discover your passwords... and more.
Many hackers try manually cracking first. They'll try, say, a dozen likely passwords to see if any of them work. There are actually lists of the 100 (or more) most-used passwords. Intelligent hackers read through everything they can learn about you, and then use likely passwords, such as your kids' names, your school nickname, your birth date, and so on. (If you're a Star Trek fan, don't use "makeitso," or "beammeupscotty." ) Also, if they already know another one of your passwords, they'll try them first; many people use only one or two passwords over & over at each site.
Don't use simple passwords. As it says in The Pass phrase FAQ - Part 2 (which I recommend everyone read), a simple password that appears in the average English dictionary will take about an hour or less for a hacker to crack.
Use foreign words if you can remember them. Mix in numbers. Spell funny. Like, wares = w@R3z. Make your password as long as possible. Change it often. Daily, if you are nervous and if you have the time.This one is a new game in town. One version uses Java, but the JavaSoft folks insist that you don't have to have Java to do this one: Basically, you go to a site and then every place you go after that, is routed through that page's server. An easy, non-malicious example of this is the Anonymizer. Basically, when you type in a URL, the request goes to the other person's site, and that person requests the page, views it, and then forwards it to you. Ditto your replies, such as if you are filling in a form or entering your password.....the middleman SEES ALL.4. They use Java to access your hard drive.
The bad news is, this will eliminate the password crackers, because it's a FAR simpler way to get passwords.
For more information on this process, check out the superb technical info at Princeton University's "Web Spoofing" page, or the more technical Java-based version at Berkeley's "Web Graffiti" site.
I keep my own passwords in a 3x5 file box, using file cards for the more permanent notes, and 3x5 pieces of paper (cheap by the pad at office supply stores) for the passwords I change regularly. If it's too difficult to think up a series of new passwords all the time, consider rotating through a series of passwords that you've noted on cards, not on your hard drive.
This page hosted by Get your own Free Home Page