[UPDATE] Is Your Password Safe? (6/17/11)
By Dan Han, Information Security Officer
[UPDATE] Gizmodo just released an online searchable database that can help users to check whether if their email passwords are disclosed by LulzSec in their recent disclosure. The link can be found here. If you are concerned about the safety of your personal email, Paypal, or other online accounts, you can search your email address in this database to check whether if your account information has been disclosed.
Many of us use the same small set of passwords to access multiple systems, websites, and other technology resources. Further, not all of us change our passwords on a regular basis unless if we are required to do so. We use the same passwords and do not change our passwords because doing so is inconvenient, and we don’t see any real threats against our passwords. Well, is the threat real? Absolutely. The infamous hacker group Lulzsec has released a long list of 62,000 user names and passwords into the public. The released user names and passwords included credentials to Gmail, Yahoo, AOL, Comcast, Bank of America, Wachovia, among many others. Any person with access to this information could potentially login to these compromised accounts and access these people’s personal information. Further, if any of these victims use the same credentials on any other websites or systems, then the attackers can potentially obtain those information as well. Among the compromised accounts, there were also thousands of credentials belonging to numerous higher education institutions. VCU was not spared in this list, as credentials for two VCU accounts were also published. As it turns out, the passwords for both accounts were outdated and did not allow any attackers to compromise these accounts. However, in order to protect your credentials and your identity, the following tips should be considered:
1. Use a long password to protect your accounts. The password length is almost always greater than the password complexity. A phrase that is meaningful to you such as the lyrics to a song or a memorable phrase can be considered as a strong password. (ie. “Every1 bites the DUST!” or “I LOVE pepperoni pizza?”)
2. Use different passwords for different systems. If you have trouble remembering passwords, use a digital password safe such as KeePass to safely store and manage your passwords. Never write down your passwords or save your passwords in an unencrypted format.
3. Be aware of phishing emails, and do not send your password to others. If you don’t know the sender AND you are not expecting the email, then be careful when dealing with the email and its links and attachments
4. Do not share your password with anyone, even your IT support staff, friends, or relatives.
5. Always verify the identity and authenticity of websites before logging on to them, be aware when a website does not require https (SSL), or has certificate errors.
6. Change your passwords on a periodic basis to reduce the risk of compromise. At a minimum, passwords should be changed annually.
For more information, please contact VCU Information Security Office at email@example.com.