In the last weeks tens of thousands of people have been hit by a major attack that harvested not only email addresses and passwords, but also their ‘security question’ and their alternate email address and password.

This meant that not only could spam email be sent from those accounts, but if the user changed the password, the spammers could still log in.  They’d simply use the ‘forgot your password?’ link and log into that alternate address (that they’d also be sending spam from) to get the new password.

83151292

This is the biggest scam of this type so far and it’s highlighted some interesting points.  Researchers who were able to get a look at the initial lists of 30,000 email addresses were able to study the email passwords to look for trends.

They discovered that the most common password was “123456” with a great many people also using “password”.  The second most common password was “123456789”.

Further study revealed that a significant proportion of people were using their date of birth.  This is doubly insecure as you not only have an obvious password if someone knows your date of birth, but you’re also giving away your date of birth once someone discovers your password.

42% of all passwords used only lower case letters, 19% were purely numeric and only a paltry 6% used a mix of alpha-numeric and other characters, which is quite alarming.

In order to create a strong password you should have a mix of letters, in both upper and lower case, and numbers.  To create a super strong password you could also slip in some other characters.  Passwords should also be a minimum of 8 characters in length.  See the examples below, each stronger than the last.

without
withoutu

w1thoutu
w1thoutU
w1th0utU

w!th0utU

The final password still reads as ‘withoutu” but uses an !, the number zero and a capital letter.

One of the concerns about this recent attack was the knock-on effect with people who use the same username / password combination on many different websites.  At this point I think the internet business community needs to take a step back and reflect on the impact of this, not only on their users, but also their businesses.  I would like to see a move towards systems that ask for random characters from passwords instead.

So what can you do to protect yourself?  The first things to do are to make sure that you have up-to-date anti-virus and anti-spyware protection on your PC.  My personal favourites at the moment are Microsoft Security Essentials and Spyware Terminator, both of which are free.  Comodo also provide an excellent free firewall, and everything here works with Windows 7.  Nobody yet knows if this email data was all harvested from Phishing emails or whether some of it came from keyloggers, software that records everything you type.

One defence against this when logging into websites is to use the Windows onscreen keyboard, which is in all versions of Windows.  Keeping a shortcut to this handy will enable you to type passwords, safe in the knowledge that keylogging software cannot record what you type, as all you’re doing is clicking apparently random points on the screen.

onscreenkeyboard

You should also be wary of emails that you receive.  If you receive an email from a friend that’s not the usual sort of email they would send query it with them before you act on it to see if they really did deliberately send it to you.  The following rule is also very important.

No company will EVER send you an email asking you to confirm your security details!

If you receive an email asking you to do this delete it immediately or forward it to phishing@then the company name and delete it afterwards.

It’s easy to keep yourself safe online but you have to be vigilant.  The simple fact is that no matter how good the security software and browser on your PC or Mac (Don’t think that Mac users are immune to Phishing attacks) the ONLY person who can ever keep you safe online is YOU! The rule of thumb is to always be careful what you click on and what you grant permission to.  If you did not explicitly want to install something then don’t.

For more information on keeping yourself safe online here is excellent advice available online from the UK Government and the FBI.

From: Connected Internet