The e-mail from PayPal said I’d sent $400 to a gaming firm in Germany. It’s a dopey phishing expedition, I thought, and authentic-looking, for sure, but nothing to worry about.
The trouble was that when I logged on to PayPal, I really did have a $400 withdrawal. It was clear that someone had my password.
Quick Password Tips
Some of you may skim through this story, so here are the three essential things you need to know about password security:
- Use a password generator, a program that will create a long, complicated password.
- Don’t ever use dictionary words, even if you stick in symbols, like bill$gate$. They’re very easy to break using simple hacker programs. (LOL — Thanks, Rod.)
- Use a different password for every important site. Using the same password on every site, especially critical ones, such as banking, is risky. Imagine using your one password on an unsavory, and possibly unscrupulous site. With that golden password, and a few guesses on your login name — stevebass, steve_bass, sbass — and they’re in like Flynn.
Who’s Got My Password?
I contacted PayPal (888/221-1161), supplied the details, and they opened up a case. My account is frozen and I don’t doubt PayPal will credit me for the loss. (As I started editing this article, they reversed the charges.) PayPal is investigating, but I don’t think they’ll ever find out how someone got into my account, though it was clear the person had my password. The rep said I probably fell for a well-crafted e-mail spoof.
That’s a blow to my ego. I see myself as suspicious–verging on paranoid — when it comes to phishing e-mails. What better prize than bragging rights to hacking a PC World guy, right? So I’m as vigilant as my dog is when I try to get her to take a pill wrapped in peanut butter. (Hey, you can’t fool me, pal, she probably thinks…)
If an e-mail — suspicious or not — refers to any of my important accounts and provides a link to click, I ignore the offer. It’s safer to manually type the URL into my browser’s address field. And yes, I’ll cover phishing hassles — and ways to guard against it — in a future newsletter.
I’m also careful with my passwords and, at least until now, thought they were super stealthy. For example, on PayPal I used four numbers, a symbol, and three letters. According to Microsoft’s Password Checker, my standard password pattern–1600%wtf — is strong. But it could be better.
Microsoft says that the most effective passwords are 14 characters and have a combination of upper and lower case letters, numbers, and a symbol or two. For example, z24x680uBS4!44 is strong enough for them to call it “best.”
Test your passwords on Microsoft’s site and see how well they stand up. Then browse Microsoft’s excellent Strong passwords: How to Create and Use Them. I promise you’ll learn something.
Generating Strong Passwords
Creating a strong password is easy, provided you don’t try to think one up on your own. There are dozens of Web sites that’ll create passwords, but I don’t use any of them. The last thing I’ll do is trust someone online watching me create new passwords. Instead, download Password Generator, a freebie, and crank out all sorts of 14-character passwords.
Keeping Track of Your Passwords
I just looked and counted roughly 220 sites I use that require a password.
Some site passwords, however, are immaterial. For instance, I use a simple-to-remember word for spots I rarely visit, places such as newspapers that force you to register and log in just to read articles, or tech sites with forum messages.
However, ever since the PayPal fiasco, I’ve changed every significant password on my system to a 14-digit gorilla.
Remembering all those passwords is a PITA, so you ought to consider using a password management tool. There are lots available. Many people like KeePass, a freebie; others swear by LargeSoft’s $30 Password Manager. I anticipate easily 100 e-mails — no make that 200 — kvetching that I haven’t mentioned your favorite. But as far as I’m concerned, RoboForm is the best one around, and I’ve used it since it was first introduced.
RoboForm, The Master at Passwords
RoboForm is a $30 program with more features for password management, privacy, and password identification than any other program I know. You provide RoboForm with all the vitals you might need to complete a site’s form–name, address, phone numbers, and even credit card numbers. When you click the Fill Forms button, the program does just that. I’ve created multiple identities, each with different info. For instance, I have one with MasterCard info, another with VISA accounts. I have another identify I call “anonymous” that I use to fill in forms on sites that I’ll never visit again.
Click a Web site from the RoboForm Passcard screen, and RoboForm transports your Web browser to the site, logging you in if necessary. Need an industrial-strength password? RoboForm will generate one for you. And don’t worry about security: RoboForm is itself password-protected. The program will also safely send an encrypted password through e-mail to another RoboForm user. (I was recently discussing with my wife the fact that neither of us can function without it.)
BTW, RoboForm foils keyloggers (programs that watch keystrokes) because instead of typing, it inserts characters into form fields.
If you need portability, RoboForm2Go gives you the same protection when you carry your passwords on a flash drive and use it outside the office. Both the RoboForm program and your password files reside on a USB key, so you can take them from one computer to another. The tool costs $40, but if you buy it at the same time you get RoboForm, the price drops to $20. If you dig around, you’ll occasionally find discounts. (Google RoboForm discount.)
Siber Systems offers a 30-day trial of both products. They work in all versions of Windows and support IE and Firefox, but not Google Chrome, Opera, or a few other browsers. Take a look at the compatibility list.
There’s lots more to say about password management, but I’m almost out of space. So while you’re hot on the topic, read Bitmill’s smart series of Password Security 101 articles. They’re less basic than you might imagine.
[This post is excerpted from Steve’s TechBite newsletter. If you liked it, head here to sign up–it’s delivered on Wednesdays to your inbox, and it’s free.]