Monster Password Issues

This week, the massive online job site Monster.com released a security notice that their database had been hacked, potentially releasing the personal details of millions of registered users.   This isn't the first time this has happened, and I'm sure it won't be the last.monster Leave aside the fact that Monster don't seem to be encrypting passwords in their databases, which is extremely shoddy, this is a timely reminder of the importance of thinking about how we all use passwords.  The big threat with this type of attack is that if you tend to use the same passwords across multiple sites, if you're a Monster.com user (or user of their other international sites such as monster.co.uk), your password is now out in the open and could potentially be used to gain access to any other site that you've registered with using that password.

So, it's dangerous practice to use the same password across multiple sites, but at the same time there's no way you're going to remember different passwords for all the sites you use.

The answer to this problem is to use a password manager such as 1Password.  This is a Mac application but there's also PC password managers such as Roboform.  The beauty of 1Password is that there's both a Mac version and a free iPhone version which can be set up to wirelessly sync between each other.  It also plugs in to the major web browsers (I use Firefox) so that it can automatically enter your username and password into the form each time you visit a site.  The way I use it is to let 1Password generate a random strong password for each site that I use, which then gets added to the application's database.  I now only have to remember one password - the password to open up 1Password.  The thing you have to remember with Password Managers though is that the encryption is only as strong as the one  password you use.  Therefore the normal rules apply - make it long, include numbers, letters (uppercase and lowercase) and special characters such as $.!["]?*&#", etc.

It's basic maths.  If an hacker tries a brute force attack against your password, the time it takes to crack your password will be dependant upon the number of variables in the characters you use, the length of the password, and the processing power of the application and PC used to try and crack the password.  Just by using both upper case and lower case letters you are doubling the number of characters that the password cracker must use, from 26 to 52.  Add numbers and the figure becomes 62, and then there's a large number of special characters you can use to add even more possibilities.  Then, every time you increase the length of your password you are increasing the strength to the power of x.  Although, this can be undermined if the application you use doesn't 'salt' your password and the hacker uses Rainbow Tables, but I won't go in to that here.

When using a Password Manager it's also important to set a time out value in the settings so that you're required to re-enter your master password after a period of time, just in case your PC/Mac/iPhone gets stolen while you have a session open.

If you are using the same password for multiple sites by using something like OpenID, it's particularly important to make sure your OpenID password is strong.

I'm in no way affiliated with 1Password, honest, I just think it's a particularly useful application!

You can find news of other hacked websites at The Breach Blog.