Zappos, the Amazon-owned shoe and apparel retailer, said late Sunday that more than 24 million of its customer accounts had been compromised.
This week I received an email from Zappos, my favorite online shoe store:
We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).
Scary stuff. Now hackers can use a network of computers to crack these passwords and try to login to my other accounts (like Gmail, Facebook, or worse) using the same password.
However, there are ways we can protect ourselves.
First, do not use the same password for every account you use. If one password is compromised, then every account using that password will be compromised. To prevent this, create unique passwords for your accounts. Don’t worry. You don’t have to remember hundreds of passwords. Just invent a pattern for creating passwords that is based on the account you are entering.
Here is an example.
Example Pattern: 56$$-FooD-$$65
(Food = the first four letters of a food that relates to the account I’m entering)
Example password: 56$$-OraN-$$65
(This might be my password for Yahoo. Since Yahoo ends in “o” I chose the first four letters of a food that starts with “o” to take the place of FooD)
Another example password: 56$$-EggP-$$65
(This might be my password for Google. Google ends in “e” and “e” is for eggplant.)
The trick is to make a pattern that is personal to only you.
The second thing you can do is use a strong password. I suggest using a password that is easy to remember but hard for a computer (even a supercomputer) to crack. Consider creating passwords using a password haystack. Please take a few minutes to watch this video to see how (and why) to use password haystacks. Then visit this site to create your first haystack.
People create programs to hack our accounts for a reason. There is money to made from stolen information. This has happen before and it will happen again. Be safe now. Fix your passwords today.
People can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down… writing down your impossible-to-memorize password is more secure than making your password easy to memorize.
Another suggestion that I like comes from security expert Steve Gibson. During his podcast Security Now, Steve explains:
Most people have never taken some time to create their own policy, their own personal password policy. They’re on the web, they’re doing something, and suddenly something says, okay, give me a password, create a password. And so, you know, they think of – they just do the first thing that comes to mind, whatever that might be. And so I wanted to take some time to discuss the issue of passwords and cause our listeners to sort of say, okay, wait a minute, this is an important thing. I’m going to, you know, take five minutes and figure out what I want to do about this, rather than continuing not to think about it and not to think that it’s important. Because I think it arguably really is an important issue.
Steven suggests that you create a little algorithm that helps you create a new password for each place you log into.
…take every other letter from the domain name, or every third letter. Come up with a rule for capitalizing them. Swap some letters around. You know, just sort of make up your own algorithm – and you don’t share with anybody else, and don’t use anything that I’ve talked about on the show, of course – and use that to create a password. Maybe take the name and, like, mix in the year of your birth, alternating that with the letters.