I’ve mentioned this several times before (here, here, and here), but if you’re one of the 2.4 million people at risk because of the Carphone Warehouse data loss recently, now might be a good time to heed my advice on password security. It’s also a timely reminder that nobody is safe if they ignore the risks and don’t protect themselves with some essential security measures.

Hackers generally don’t steal data for kicks and giggles. Most of them are fully aware that they are committing a criminal act, and as such they’re generally looking for some kind of reward. Of course there are some people who do this for attention, but on the whole they’re doing it for financial reward.

With your money…….

How do they get your money?

  • Ordinarily they’re trying to engineer a way to use your online accounts elsewhere to obtain cash, goods or services by having you pay for it.
  • First they steal a database from somebody; this data contains your username and password for that company.
  • Although the password information is usually encrypted, with the huge amounts of data they steal, and the technology availble to them, it’s a simple process to ‘crack’ the encryption if you use a normal word as a password, or part of a password. The more complex the password (i.e. random), the more difficult it is to crack the encryption.
  • Once they have your password for one service, they’ll try it with lots of others. This may reveal further information about you which can be sold online to identify thieves. Or grant them access to your accounts enabling them to order high resale goods for themselves. This kind of crime has been going on for years, well before the Internet was commonplace (I once had a tenant order lots of stuff in my name for himself after getting hold of my personal details from mail that hadn’t been redirected….)

What should you do?

Stop using simple passwords such as ‘password’, or your favourite holiday location. An 8 character password that is a legitimate word can be cracked in less than a second by software designed for the purpose. A 32 character password with symbols would take several years! So you need to start using longer, more random passwords with a mixture of letters, cases, numbers and (where possible) symbols to make it more difficult. If you want an example, a good password might be something like: eq8ot2D4gqEQzgWLUXc7btBC[oEN#k]M. Notice the upper and lower case characters are mixed with both numbers and symbols. Not every service will allow this length and complexity, but the longer and more complex…the better/safer for you

Equally as important, you need to stop using the same password on each site/service. Right now is a good time to start changing passwords across all your different Internet accounts (each to a different, long, complex one).

How can you manage this?

There are several ways of managing it. For Mac and iOS users on the latest Operating Systems, iCloud Keychain allows you to store all your passwords in an encrypted file that, in theory, only you can access. My level of trust in Apple managing that well is around 85%, but it should be sufficient for most people.

There are also 3rd party tools to do the same thing as iClould Keychain. I’d tend to trust the best of these more than Apple’s own tools, just because their reputation rests on these tools alone (whereas iCloud Keychain is a small part of Apple’s ‘business’). The best of these in my opinion are 1Password and LastPass.

If you need further advice, please contact us. But please, don’t do nothing.