By now, hopefully everyone has heard of the security breach where accounts and passwords were found on a public site listed the account usernames and passwords of some 10,000 users. Initially it was just reported to be Hotmail/Live.com/MSN, but it turns out Yahoo!, Earthlink, GMail, and others were also affected. The attackers got at the information using phishing attacks, so it wasn't a breach of any of the sites themselves. Still, it meant someone was in possession of that account information, and that is in an issue for the folks affected. And since the list only had names starting with the letters A and B, there's surely a whole lot more than 10,000 affected.
Since the list was publically available, a security researcher was able to grab it before it was pulled offline. And what was found wasn't surprising, but it shows we still have a long way to go with respect to educating folks about online security. Here are some of the details the report contains:
Passwords are still a necessary evil. And for some folks, that email account may have represented a "throw away" type of email address, but I suspect for a lot of folks, they just didn't know better with respect to doing a better job with passwords. Microsoft has published some good guidance to help with picking relatively strong passwords, and it's not hard to do. As for me? I like long passwords that are based on phrases that make sense to me with mixed case, special characters, and numeric characters as well. I know I'm paranoid about that stuff, but I have found that when I do that, it's not that difficult. In a lot of cases I just let my password vault generate a random password and use that for a given web site. But if it's somewhere that I'm going to need to log onto and I suspect I won't have my password vault, I'll follow my own algorithm. Here's how I might go about picking a password:
And on a side note, no, that's not my SQL Server Central password. While I can think of something related to the site or activity, I tend not to. I tend to think of something that usually makes no sense at all except to me and build from there. For instance, maybe something happened on SSC in the forums once that reminded me of Yosemite Sam. There hasn't been, to my knowledge, but if there had been, that may be what I initially derive my password from. If you know me and you know the site, you may assume I may connect something related, and you begin your attempts to brute force a password of mine, you're already going down the wrong path. So why do I recommend that folks start with something related? Because for folks who aren't used to generating "complex" passwords, it gives them a starting point which, if they follow the rules, the ending point will be so ambiguous that it doesn't matter much. Me? I'm just paranoid like that.