Passwords are like toothbrushes: they mustn't be shared easily, too widely; kept in circulation too long; or made easily accessible to outsiders.
I like ZD-net. They have some great articles from time-to-time. Think your Facebook account is secure from misuse, having followed my article? Not so! Two mistakes conspire against your Facebook security.
ZD-net has a great article on leaking impersonation token, used by many of your FB apps. What the article fails to criticize is many of the bad password practices many use. I tried to capture most of the important points in my password article.
Everyone is fast to criticize Facebook (sometimes called 'Fastbook' by some...). Are we open to improving our own security practices by:
- Don't reuse a single password widely. Don't use your toothbrush to both clean your battery posts and your teeth. Hacker know to attack the site with the poorest site security to topple other sites like a row of dominos.
- Change your underwear and change your passwords, nearly as frequently. Both get stale after a while and need a refresher. Create a password-changing ceremony. Make a day of it. Enjoy the process as you put some thought behind each new password on each different account.
- Choose difficult-to-guess passwords and buy a toothbrush whose bristles won't fall out at first use. Use a combination of upper- and lower-case letters, numbers, and $pec|@l characters. Live in Chicago? Avoid 'DaBears' as your password. Professional and successful sport team names are often overused (making DaCubs a safer bet for many).
Up the ante. Avoid sites whose security plan makes attacks easy (unlimited password guesses, cheesy challenge questions whose answers are documented on Facebook, LinkedIn, or classmates.com, etc.) Go for 12 or more characters via a passphrase. I@mtheVeryMode!ofaModernMajorGeneral. Those of us blessed with long names know you can type long phrases easily, with enough practice.
Let's be honest. It's a two-way street. Vendors must improve application security; but without our improvements in our personal security practices, We Won't Win the War.
Let me know what you think below.
P.S. Some people object to my gross comparisons. This is my attempt to impress on people the importance of these security practices to their online security plan. Overall, I've received as many compliments as complaints about my off-beat comparisons. Passwords are a lot like old, stale socks. You need to change them before they're so old that they fall apart from overuse.
(Meanwhile, it's hard to keep using the same ol' values when remembering those old nasty, crusty socks some kept reusing in gym class years ago...)