Advice From Google: Change Your Passwords Twice Per Year

Also given is the advice to never re-use former passwords.

With that advice, the fact that the average person these days has a few places where passwords are necessary, and given that people have already been given the admonition that no two places should share the same password,  an average of 8 passwords, changed twice a year, with none ever reused – that’s a lot of different passwords to remember, and not get mixed up, over a lifetime.

Oh, yes, one more thing, we are also told not to ever write the passwords down, so that’s a lot to keep track of for some people. [I have members of my extended family that cannot remember a 7-digit phone number under some circumstances.]

[PC World]

Change your passwords twice a year and never reuse them. Those are a few of the tips Google lists in an online security checklist that helps people stay one step ahead of the scammers.

With most Internet users now wary of spam messages, fraudsters have increasingly focused on popular Web services such as Gmail, Facebook, Yahoo, and Hotmail. They break into accounts and then send their messages to the victim’s contacts, hoping that the spam will be more effective because it comes from a friend. “People are far more likely to respond to a message from someone they know,” said Andrew Brandt, lead threat researcher with antivirus vendor Webroot, speaking via instant message.

The problem with these things is that too few people actually report them. If more of the suspicious mails were reported, and saved, passed along to the right place, and properly analyzed, we’d have fewer of them, because some would result in the senders being found and stopped.

The spam can include links to fraudulent pharmaceutical Web sites, phoney phishing pages, or pleas for money. In one scam that has been run for more than a year now, the criminal pretends that he’s trapped in a foreign country and asks friends of his victim to wire him funds.

Victims usually don’t know how their accounts were compromised, but according to Google there are several ways this can happen. User names and passwords are often stolen in phishing attacks, or via malicious software that records them as they are typed into the computer. Sometimes the criminals hack into Web sites that are linked to Google accounts. “If that site is hacked and your sign-in information is discovered, the hijacker has easy access to your Google Account,’ wrote Priya Nayak, an online operations strategist with Google in a Friday blog posting.

Anyone can have a problem like this, as I was reminded a couple of weeks ago, when a couple of people in my mailing list responded when they were contacted by a message beginning, “Dear Friend”. My contacts were stolen from my mail program, and when I did a virus and malware scan with a couple of programs I found nothing, including no rootkits. What had happened was very quickly done when I forced the firewall off as I was having problems with a connection. That short 30 minutes or so was all it took – but then that was all they got, as I don’t leave anything else which would benefit anyone. So I was annoyed, and some of my friends were annoyed, but that was the extent of it.

Still, if I had anything important in the general area of the mail directories, it could be gone, too. It is important to know that it happened while I was trying something risky, but I knew what the consequences could be, and took care of almost everything. (To those who were contacted by the spam attack with addresses gotten from my machine, I am sorry!)

And sometimes the bad guys simply guess right. “You use a password that’s easy to guess, like your first or last name plus your birth date (‘Laura1968′), or you provide an answer to a secret question that’s common and therefore easy to guess, like ‘pizza’ for ‘What is your favorite food?,'” Navak wrote.

My favorite food is cherry cheesecake, but I would not use it as a password. I have taken to the stronger methods, where there are lower case letters, upper case letters, and also numbers. Unfortunately, there are too few places that allow the special characters of the keyboard, for if they did, it would take considerably more time to break passwords. [bite^down,quick&hard would be a great password, but few places will allow the carat, the comma, or the ampersand]

Keeping your password changed, and using one that’s hard to guess, can help thwart many of these techniques.

Webroot’s Brandt said that Google’s advice for twice-yearly changes is reasonable. He thinks people should change their passwords as often as they can. “I change my passwords at least four times a year, but I’m a security nerd and use password manager software which generates the passwords and reminds me to change them.”

I’m not familiar with all the password keeping programs, but the ones I am familiar with use such odd combinations of letters and numbers that it would be difficult to remember them mnemonically. Also, they store the passwords on the user’s hard drive locally, and if there is a crash, or infection, there could be disaster.

Brandt users a password manager that comes with Webroot’s security software, but there are free options too. LastPass and Keepass are two popular choices.

Even with password managers, it’s a chore to keep on top of all the different log-in information that most people need to surf the Internet. But for important accounts, the work is worth it, according to Google.

“Online accounts that share passwords are like a line of dominoes,” Nayak wrote. “When one falls, it doesn’t take much for the others to fall, too. This is why you should choose unique passwords for important accounts like Gmail (your Google Account), your bank, commerce sites, and social networking sites.”

Released last week, Google’s checklist includes 18 basic security tips that everyone using the Internet should know.

Perhaps the 19th tip that should be included is that nothing is 100% foolproof – because they keep inventing better fools, so a backup plan – perhaps storing them with a friend, but without your name on the paper containing them, so that that trusted friend and you are the only ones knowing what the list of jumbled letters and numbers are for …

§

Download Opera – A faster and more secure Web browser.

Download Opera Mini – The world’s most popular mobile Web browser.

Even a mistake may turn out to be the one thing necessary to a worthwhile achievement. Henry Ford

¤