Zappos, the Amazon-owned shoe and apparel retailer, said late Sunday that more than 24 million of its customer accounts had been compromised.
This week I received an email from Zappos, my favorite online shoe store:
We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).
Scary stuff. Now hackers can use a network of computers to crack these passwords and try to login to my other accounts (like Gmail, Facebook, or worse) using the same password.
However, there are ways we can protect ourselves.
First, do not use the same password for every account you use. If one password is compromised, then every account using that password will be compromised. To prevent this, create unique passwords for your accounts. Don’t worry. You don’t have to remember hundreds of passwords. Just invent a pattern for creating passwords that is based on the account you are entering.
Here is an example.
Example Pattern: 56$$-FooD-$$65
(Food = the first four letters of a food that relates to the account I’m entering)
Example password: 56$$-OraN-$$65
(This might be my password for Yahoo. Since Yahoo ends in “o” I chose the first four letters of a food that starts with “o” to take the place of FooD)
Another example password: 56$$-EggP-$$65
(This might be my password for Google. Google ends in “e” and “e” is for eggplant.)
The trick is to make a pattern that is personal to only you.
The second thing you can do is use a strong password. I suggest using a password that is easy to remember but hard for a computer (even a supercomputer) to crack. Consider creating passwords using a password haystack. Please take a few minutes to watch this video to see how (and why) to use password haystacks. Then visit this site to create your first haystack.
People create programs to hack our accounts for a reason. There is money to made from stolen information. This has happen before and it will happen again. Be safe now. Fix your passwords today.
Okay, here’s the problem— bots. Bots are little programs created to crawl all over the Internet looking for ways to cause trouble. Often they’re made to help spammers do their dirty work. Bots will create accounts and pretend that they are real people. They might signup for online email accounts or leave comments on a blog.
Because of bots, websites need a way to verify that only humans are signing up for their services. They need to ask a question that humans can answer but computers cannot. Enter the CAPTCHA. CAPTCHAs are those squiggly letters you’re asked to enter when you signup for things online. Here is an example:
A recent estimate suggests that 60 million CAPTCHAs are solved by humans each day— that’s a lot of reading and typing! The folks at reCAPTCHA have decided to put all that human power to work. Using their service, you enter words taken from books that have been scanned in but couldn’t be converted by a computer. The system turns both words into CAPTCHAs for you to solve. It knows the answer for one of the words but not the other. Since humans can read better than computers, you’re actually helping to digitize books and preventing spam.
You can help the book digitizing effort by adding reCAPTCHA to your site. You can use it to protect your email or your blog’s comments section; reCAPTCHA makes implementation easy.
People can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down… writing down your impossible-to-memorize password is more secure than making your password easy to memorize.
Another suggestion that I like comes from security expert Steve Gibson. During his podcast Security Now, Steve explains:
Most people have never taken some time to create their own policy, their own personal password policy. They’re on the web, they’re doing something, and suddenly something says, okay, give me a password, create a password. And so, you know, they think of – they just do the first thing that comes to mind, whatever that might be. And so I wanted to take some time to discuss the issue of passwords and cause our listeners to sort of say, okay, wait a minute, this is an important thing. I’m going to, you know, take five minutes and figure out what I want to do about this, rather than continuing not to think about it and not to think that it’s important. Because I think it arguably really is an important issue.
Steven suggests that you create a little algorithm that helps you create a new password for each place you log into.
…take every other letter from the domain name, or every third letter. Come up with a rule for capitalizing them. Swap some letters around. You know, just sort of make up your own algorithm – and you don’t share with anybody else, and don’t use anything that I’ve talked about on the show, of course – and use that to create a password. Maybe take the name and, like, mix in the year of your birth, alternating that with the letters.