Password Nightmares

Yesterday's Ars Technica report on a recent high-profile series of site hacks can be condensed to one simple lesson: real security starts with password security.

By exploiting a handful of well-known vulnerabilities in IT security firm HBGary's infrastructure, hacker collective Anonymous gained access to a database of username/password combinations. This database was easily deciphered using readily available tools; and because a couple members of HBGary's senior management used simple passwords (in this case six lowercase letters combined with two numbers) across multiple accounts, the hackers were able to access a massive amount of critical company data, deface and destabilize numerous digital assets, and generally cause mayhem according to their every whim.

How much damage was done? It's probably too soon to say for sure, but the opening paragraphs of the story offer a hint:
It has been an embarrassing week for security firm HBGary and its HBGary Federal offshoot. HBGary Federal CEO Aaron Barr thought he had unmasked the hacker hordes of Anonymous and was preparing to name and shame those responsible for co-ordinating the group's actions, including the denial-of-service attacks that hit MasterCard, Visa, and other perceived enemies of WikiLeaks late last year. 
When Barr told one of those he believed to be an Anonymous ringleader about his forthcoming exposé, the Anonymous response was swift and humiliating. HBGary's servers were broken into, its e-mails pillaged and published to the world, its data destroyed, and its website defaced. As an added bonus, a second site owned and operated by Greg Hoglund, owner of HBGary, was taken offline and the user registration database published.
The entire story is worth reading, and is written in fairly accessible language. One need not be a nerd to follow along and glean some important lessons from it. However, since at least two of my three readers won't take the time to digest the whole thing, I will offer this free advice:

If you are a typical user (i.e., not a systems administrator or otherwise involved in managing, developing, or overseeing a piece of technology), there's one thing you're probably not doing in order to stay safe on the web. And you need to start doing it today: use a different, complicated password for every account that you have. When I tell people this, their eyes pop out and they gasp. But it's not as hard to accomplish as it may seem. There are fairly simple techniques you can use to produce very complicated passwords, and by adding a couple extra characters according to a system you devise, you can make them different for every account. Even better, there are tools (I use and recommend 1Password with DropBox) to automate all this so you never have to worry about it again.

If you do nothing else online today, do this: determine the five or ten most vulnerable accounts you have, like your bank and brokerage accounts, your account, your e-mail accounts, Facebook, etc. Now, change your password for each of these to something complicated but memorable. And if you want to get started with something like 1Password, e-mail me. This is what I do, and I'm always happy to help.