They have a hundred ways of getting your passwords.

1 – They can guess them.  It is incredibly easy to guess so many people’s passwords. In 1000 tries, they’ll guess over 90% of the passwords on the internet.

  • 4.7% of users have the password password;
  • 8.5% have the passwords password or 123456;
  • 9.8% have the passwords password, 123456 or 12345678;
  • 14% have a password from the top 10 passwords
  • 40% have a password from the top 100 passwords
  • 79% have a password from the top 500 passwords
  • 91% have a password from the top 1000 passwords

2 – They can get them from an insecure site.

                When you log onto a website about recipes, they might ask you for a username and password so they can remember your favorite foods. This is not a ‘secure’ website and nobody cares about their security. But if a someone hacks into that website and gets your username and password, then they try this username and password at your bank, will they get in?

3 – They can trick you into revealing them.

                You get an email from your bank that looks perfectly legit. It says you have a message, click here to read it. You click and go to a website that looks exactly like your bank’s website, and you enter your username and password, and see your accounts. Looks fine – but what has actually happed is the hackers made a duplicate of the banks website. When you entered your username and password, they kept a record of it for themselves, and at the same time logged you into your real bank account normally.

4 – They can load a “Trojan Horse” or keylogger on your computer.

                Suddenly a message pops up on your computer saying “Hard drive error, click here to fix.” You click, “Fixing….”, “Repairs successful.” You breathe a sigh of relief. But in fact, that message was not from your computer but from a website and “Fixing…” was actually downloading a program. Every key you type from now on is being sent to the hackers – including your usernames and passwords.

5 – Heartbleed.

                You’ve been hearing about the security flaw – and we will be hearing more. There is a small chance that every password you have ever used has been compromised. Everyone should now change their financial institution and high security passwords. Low-impact passwords like those that no not involve money are not so important.

6 – I have no idea.

                They’ll get us in a ways we can’t even imagine. Through our cellphones, our internet connected televisions, thermostats, and refrigerators?

What can you do?

                Reduce your odds of being hacked and hope for the best. Be vigilant.

A - Check your credit card activity, credit report, and bank balances frequently.

B – Keep up-to-date virus protection on your computer. Norton, TrendMicro, McAfee, Kaspersky are all good.

C – Don’t click links inside emails unless you’re sure they’re taking you where you expect to go. Should you click on the link in item D below? Well, you know me. You know this document is really from me. You can see that the link is actually going to the roboform.com home page. I’d day it’s safe.

D – Use effective password management. Personally, I use Roboform. It remembers passwords for each page and is secure. A free trial is available here: http://www.roboform.com/?affid=m1955.

Here’s some guidance on changing passwords:

Because of the Heartbleed security alert, change all financial-related passwords now. This includes passwords used for banking, credit cards, wire-transfers, and financial institutions. Although you do not need to change local passwords (like Quickbooks), the passwords used to login to banks, credit card institutions, and sites that store credit card information (like Itunes and Amazon) should be changed.

Passwords should be at least 8 characters long, contain at least one upper-case letter (not the first character), one lower-case letter, at least one number and, if allowed by the site, a symbol like ,.?/">~!@#$%^&*()_-+={}[]|\:;"'<>,.?/. Passwords should not contain a common name or word.  As a suggestion, use an acronym. "My son's birthday is at December 4" could be used to remember the password msBDis@1204

 If you need to send the new username and password to someone, send the username by email and the password by TXT message, skype, or other means. Do not label the TXT message with "This is my password:".

 Passwords to different sites can be the same -- as long as the security levels of those sites are the same. For example, use three passwords: 

Level 1 -  Top security banks, investment, and credit cards (Amex, TDBank)

Level 2 -  High security shopping sites that have your credit cards (Amazon, Ebay)

Level 3-  Low security information and research sites (HandicappedPets.net, NakedNews.com, and Dictionary.com)

Passwords should be changed every 90 days. Yes, it’s a pain in the … but Ecommerce is not likely to go away anytime soon.