Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Passwords: Tips For Better Security

You can make your passwords more secure if you follow a few simple rules: Don't reuse passwords, make them long and random, and don't be afraid to write them down, say security experts.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Accordingly, the simplest and easiest way to increase password security might simply be to write passwords down, albeit preferably in a highly secure manner. "The best investment you can make is to go out and get a [digital] wallet to keep your passwords in," said Thomas Kristensen, chief security officer of Secunia, a vulnerability information provider, in an interview. "To reuse your password on different sites is just the worst thing you can do. Look at all of the compromises of websites this year--there's the risk that they'll lose your account, and once your password is out there and associated with your email address, you probably won't know it's been stolen until they've heisted something."

Another advantage of digital password wallets is that the software not only makes it easy to store passwords, but also to generate a strong, highly random password. That makes it trivial to maintain a different password for each and every website used. Accordingly, the next time hackers crack a Sony password database, even if it contains your username and password, hackers won't be able exploit that combination anywhere else.

Digital password wallets, however, do mean one more piece of software to download, install, and use. "It's a nuisance, I know," said Kristensen, who's been using an open source application called KeePass for 10 years. But he said that using digital password wallets is simply a best practice. "It's not the perfect solution, but it's much better than reusing passwords."

When it comes to password management software that stores passwords securely, there are numerous options. For example, Bruce Schneier, chief security technology officer at BT, created PasswordSafe, an easy-to-use, open source password database for Windows. Such software is also available for the Apple OS X (for example, shareware PasswordWallet, which also works for Windows). Another option, the aforementioned KeePass, runs on both of those operating systems, as well as Linux.

Furthermore, many password wallets will synchronize passwords between your computer and mobile devices, meaning you can always carry a secure, password-protected copy of your passwords and PIN codes with you. (For the record, people's PIN-picking practices are arguably even poorer than their password selection habits.)

To recap: secure passwords by creating a unique and random, long and strong password for every website that matters. Then keep these passwords secure by storing them in a digital safe. Do that, and don't fear the next LulzSec.

Small and midsize businesses are falling prey to cyberattacks that cost them sensitive data, productivity, and corporate accounts cleaned out by sophisticated banking Trojans. In this report, we explain what makes these threats so menacing, and share best practices to defend against them. Download it now. (Free registration required.)

 

Recommended Reading:

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15001
PUBLISHED: 2020-07-09
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
CVE-2020-15092
PUBLISHED: 2020-07-09
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
CVE-2020-15093
PUBLISHED: 2020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
CVE-2020-15299
PUBLISHED: 2020-07-09
A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...
CVE-2020-4173
PUBLISHED: 2020-07-09
IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure l...