谈到计算习惯,人们总是不擅长安全和密码(security and passwords)。我们一遍又一遍地重复使用相同的密码,我们没有意识到我们让坏人窃取我们的信用卡(credit card)详细信息和其他重要信息是多么容易。即使在PlayStation Network(PlayStation Network)遭到黑客入侵的大惨败之后,人们和公司都仍然处于休眠状态,并且改变密码安全(password security)习惯的速度很慢。我想敲响警钟,展示如何改变您的习惯并在Internet上拥有安全的计算生活。
LastPass -新密码安全习惯(New Password Security Habits)的关键(Key)
首先,您应该下载并安装LastPass。它是一个免费的扩展程序,适用于所有浏览器,并在多个浏览器和计算机之间同步您的密码。你可以从这里(here)得到它。
安装后,设置您的帐户并让它从您的浏览器导入密码。然后,执行以下步骤并确保阅读所有建议。
接受挑战(Challenge)- 你的不安全分数(Insecurity Score)是多少?
单击主浏览器中的LastPass按钮。(LastPass)然后,转到Tools -> Security Check。
您将被带到LastPass网站。点击“开始挑战”("Start the Challenge"),开始审核过程。
LastPass将花费一些时间来打开您的所有密码并进行分析。
在该过程结束时,您将被带到一个带有结果的长页面。在详细结果(Detailed Results)部分,您可以很好地了解您的密码安全性有多弱。如您所见,我在 92 个网站上使用了 9 个重复密码。更糟糕的是,我使用了 11 个容易破解的弱密码。是不是很令人担忧?(Pretty worrying)
如果向下滚动,您会看到所有具有重复密码的网站的详细列表。对于每个站点,您可以查看用户名、使用的密码及其强度。
使用重复密码访问(Visit)每个网站并使用LastPass更改密码。这个很棒的附加组件(扩展)将帮助您生成新的唯一密码。只需按键盘上的(Simply press) Alt+G或单击Tools -> Generate Secure Password。这将打开一个友好的密码生成对话框(password generation dialogue),您可以在其中指定有用的参数,如长度、包含的字符类型、最小位数等。
如果您有很多网站的密码重复,请准备好花几个小时将它们全部更改。此外,您可以逐渐改变它们,每天花几分钟,持续几天。
注意!
在浏览具有重复密码的站点时,您会遇到可以重复密码的示例。例如,汉莎航空(一家来自(Lufthansa)欧洲(Europe)的大型航空公司)有两个使用相同登录详细信息的 Web 资产。在他们的网站上拥有不同的密码是不可能的。因此,无需惊慌和更改密码。
但是,如果两个网站不属于同一家公司并且您拥有相同的密码,那么您没有理由保持它们不变。
完成更改重复密码后,请查看显示具有唯一密码的站点的表格。在列表的开头,您拥有所有密码非常弱的网站。访问所有这些网站并将密码更改为更强的密码。如何?只需(Simply)为每个密码选择至少 8 个字符,包括至少 2 位数字,并使它们尽可能多样化。
看到这些密码从红色(弱且易于破解)变为黄色和绿色(强且难以破解)会非常令人满意。
您将遇到的问题!
我花了 3.5 到 4 个小时来更改数百个网站的所有密码。在这样做的过程中,我学到了一些消极和令人惊讶的事情:
- 有些网站不允许您更改密码。如果您在其中存储财务信息,请随时联系网站所有者或管理员,并要求更改密码(password change)或删除您的帐户/财务信息。
- 您在存储有关您的非常重要信息(包括信用卡详细信息)的网站上有(credit card)重复(duplicate)或弱密码。例如,我在购买安全解决方案或电脑游戏的网站上有重复(duplicate)密码和弱密码。您可能认为您的EA 或暴雪(EA or Blizzard)帐户并不重要,但它确实如此。破解它(例如PlayStation Network的案例)意味着未经授权的人可以从您那里窃取金钱或以其他方式造成伤害。
- 您曾经访问过的一些网站已不存在。在这种情况下,可以从LastPass和您的浏览器中删除登录详细信息,这样他们就不会记住它们。
更安全的原则
如果您正在进行提高密码安全性(password security)的练习,请牢记以下原则:
- 您所有的电子邮件帐户都应该有唯一且非常强大的密码。它们是您在线生活和财务信息的门户。如果有人破解了您的电子邮件帐户,他们可以轻松获取您的亚马逊密码(Amazon password)以及您的信用卡(credit card)详细信息。
- 您存储财务信息的所有网站都应具有唯一且非常强大的密码。这里不要只考虑Amazon 或 eBay(Amazon or eBay)。想想(Think)您购买软件(purchase software)、游戏、书籍、服务等的网站。
- 小型(Small)论坛和在线社区可能更容易被黑客入侵,因为它们不会在安全方面投入太多。就连大公司也不行。如果您在这些网站上使用与您的主要电子邮件帐户相同的密码,人们将访问它并窃取他们可以找到的任何重要信息。我有一个朋友的Gmail 帐户(Gmail account)以这种方式被破解,突然间,来自巴西(Brazil)的人正在访问他的邮件。
- 如果您不再使用网站提供的服务或内容,删除帐户比保留帐户更安全。例如,我已经一年多没有使用我的Digg.com 帐户了。(Digg.com account)删除它意味着我比让它仍然活跃更安全。
重复练习!
正如我一开始所说,您不必在一天内更改所有密码。只需定期执行此操作。花几分钟时间,看看你在LastPass上的进步。在本练习结束时,我从 92 个站点上的 9 个重复密码变为仅 17 个站点上的 4 个重复密码。那些留下重复密码的人让他们重复是有意义的(如Lufthansa的例子),或者根本不允许我更改密码,我联系了他们的支持服务(support service)以进行后续跟进。
LastPass的另一个重要功能是它可以让您查看自己的进度。在每份报告中,您都有使用LastPass进行的每项安全审计的得分和排名历史记录。
随着时间的推移,看到如此多的进步感觉真好!🙂
结论
如您所见,使用LastPass来改变您的密码安全(password security)习惯并不难。一旦您完成了审核和更改密码的初步练习,您的在线生活就会更加愉快和安全。有关更多安全提示,请查看下面推荐的文章。
Password Security - Turn Your Dumb Habits Into Geek Habits
When it comes to cоmputing habits, peoplе are always bad at security and passwords. We keep reusing the same password(s) over and over again and we don't realize how easy we make it for the bad guys to steal oυr credit card details and other important іnformation. Even after the big fiasco that waѕ thе hacking of the PlayStatiоn Network, both people and companies remain dormant and are slow to сhange their password security habits. I would like to make a wake up call and show how to chаnge your habits and have a seсure computing life on the Internet.
LastPass - The Key to Your New Password Security Habits
First, you should download and install LastPass. It is a free extension that works on all browsers and syncs your passwords across multiple browsers and computers. You can get it from here.
Once you install it, setup your account and have it import the passwords from your browser. Then, execute the steps below and make sure to read all the recommendations.
Taking The Challenge - What's Your Insecurity Score?
Click on the LastPass button in your main browser. Then, go to Tools -> Security Check.
You are taken to the LastPass website. Click on "Start the Challenge", to start the auditing process.
LastPass will spend a bit of time to open all your passwords and analyze them.
At the end of the process you are taken to a long page with results. In the Detailed Results section, you get a good overview of how weak your password security is. As you can see, I have 9 duplicate passwords being used across 92 websites. To make things worse, I use 11 weak passwords which are easy to crack. Pretty worrying isn't it?
If you scroll down, you see a detailed list of all the websites having duplicate passwords. For each site, you can view the username, the password used and its strength.
Visit each of the websites with duplicate passwords and change passwords using LastPass. This great add-on (extension) will help you generate new & unique passwords. Simply press Alt+G on your keyboard or click on Tools -> Generate Secure Password. This opens a friendly password generation dialogue, where you can specify useful parameters like length, the type of characters included, the minimum number of digits, etc.
If you have lots of websites with duplicate passwords, prepare to spend a few hours changing them all. Also, you can change them gradually, spending a few minutes each day, for a few days.
Pay Attention!
When looking through sites with duplicate passwords, you will encounter examples where it is OK to have duplication. For example, Lufthansa (a big airline from Europe) has two web properties which use the same login details. Having different passwords on their websites is impossible. Therefore, there's no need to panic and change passwords.
However, if two websites are not owned by the same company and you have the same password, there's no excuse for you to leave them unchanged.
Once you are done with changing duplicate passwords, look at the table which shows sites with unique passwords. At the beginning of the list, you have all the websites with very weak passwords. Go to all these websites and change the passwords to stronger ones. How? Simply choose a minimum of 8 characters per password, include at least 2 digits and make them as diverse as possible.
Seeing those passwords turn from red (weak & easy to crack) to yellow and green (strong & hard to crack) can be very satisfying.
Problems You WILL Encounter!
It took me 3.5 to 4 hours to change all my passwords across hundreds of websites. While doing this, I've learned some negative and surprising things:
- There are websites which don't allow you to change the password. If you store financial information on them, don't hesitate to contact the owners or admins of the website, and request a password change or the deletion of your account/financial information.
- You have duplicate or weak passwords on websites which store very important information about you, including credit card details. For example, I had both duplicate & weak passwords on websites where I purchased security solutions or computer games. You might not consider your EA or Blizzard account that important, but it actually is. Having it cracked (like the case with the PlayStation Network), means unauthorized people can steal money from you or do harm in some other way.
- Some websites you used to visit, no longer exist. In that case, it is okay to remove the login details from LastPass and your browser, so that they don't remember them.
Principles for Being More Secure
If you are going through the exercise of improving your password security, it is very good to keep in mind the following principles:
- All your e-mail accounts should have unique & very strong passwords. They are the gateway to your online life and your financial information. If somebody cracks your e-mail account, they can easily obtain your Amazon password and from there your credit card details.
- All the websites where you store financial information should have unique & very strong passwords. Here do not think only of Amazon or eBay. Think of websites from where you purchase software, games, books, services, etc.
- Small forums & online communities are likely to be easier to hack, as they don't invest that much in security. Not even big companies do. If you use the same password on these websites as on your main e-mail account, people will access it and steal any important information they can find. I've had a friend who's Gmail account got cracked this way and suddenly, people from Brazil were accessing his mail.
- If you no longer use the services or content provided by a website, it is safer to delete your account than to keep it. For example, I have not used my Digg.com account for more than a year. Deleting it, meant I am more secure than having it still active.
Repeat the Exercise!
As I said in the beginning, you don't have to change all your passwords in one day. Simply do this regularly. Invest a few minutes for a few days and see your progress with LastPass. At the end of this exercise, I went from 9 duplicate passwords on 92 sites, to 4 duplicate passwords on only 17 sites. And those left with duplicate passwords made sense to have them duplicate (as in the example with Lufthansa) or simply did not allow me to change the password and I contacted their support service for later follow up.
Another great feature of LastPass is that it allows you to see your progress through time. In each report, you have the score and ranking history, for each of the security audits you've made using LastPass.
It feels good to see so much progress over time! 🙂
Conclusion
As you can see, using LastPass to change your password security habits is not that hard. Once you go through the initial exercise of auditing and changing your passwords, your online life can be more pleasant and secure. For more security tips, check out the articles recommended below.
