Skip to main content

As many as 1.2 billion user names and password combinations may have been stolen. Security experts are urging consumers to be more vigilant online.

The New York Times is  reporting that several computer security firms say they have identified an effort by a Russian cybergang injected malicious code into at least 420,000 websites to gather the data. Because people tend to use the same password, or a form of the same password, on multiple sites, when even a medium-sized breach occurs, it can have major repercussions because those passwords are used on so many systems. This no medium sized breach. It' enormous.

Suggestions from the experts:

• Prioritize. Identify the accounts where your money is. Identify the accounts where your medical information is. Identify the accounts where your sensitive medical information is. Change those passwords now.

• Mix it up. Create passwords that are 10 characters or longer and include uppercase letters, lowercase letters, symbols and numbers

• Split social media and money. Do not use the same password for credit cards and bank accounts that you use for social media or websites. Do not even use a form of them.

• Revise record-keeping. Don't store your account information in an unsecured document on your computer or network. It is best to keep such information as a secure hard copy.

• Keep data close. Don't share your password, even with friends and family. If particular circumstances require that you do so, change the password at the first possible opporunity.

• Stay informed. Beyond changing passwords and creating better ones, watch the news for stories like this one.

Daily Kos Diarist stevemb suggests that we Use A Password Manager. "Most people simply can't remember more than a few strong passwords, so they fall into bad habits of using weak passwords (bad -- an automated guessing program will break it easily) or using the same password everywhere (worse -- one breach and everything falls).

The problem can be avoided by using a password manager; you only have to remember one master password. I use KeePass, which has versions for just about all platforms (including mobile devices) and is free; searching for "password manager" will turn up other options.

On the Internet, nobody knows if you're a dog... but everybody knows if you're a jackass.

by stevemb on Wed Aug 06, 2014 at 06:02:49 PM CDT. Thanks stevemb

EMAIL TO A FRIEND X
Your Email has been sent.
You must add at least one tag to this diary before publishing it.

Add keywords that describe this diary. Separate multiple keywords with commas.
Tagging tips - Search For Tags - Browse For Tags

?

More Tagging tips:

A tag is a way to search for this diary. If someone is searching for "Barack Obama," is this a diary they'd be trying to find?

Use a person's full name, without any title. Senator Obama may become President Obama, and Michelle Obama might run for office.

If your diary covers an election or elected official, use election tags, which are generally the state abbreviation followed by the office. CA-01 is the first district House seat. CA-Sen covers both senate races. NY-GOV covers the New York governor's race.

Tags do not compound: that is, "education reform" is a completely different tag from "education". A tag like "reform" alone is probably not meaningful.

Consider if one or more of these tags fits your diary: Civil Rights, Community, Congress, Culture, Economy, Education, Elections, Energy, Environment, Health Care, International, Labor, Law, Media, Meta, National Security, Science, Transportation, or White House. If your diary is specific to a state, consider adding the state (California, Texas, etc). Keep in mind, though, that there are many wonderful and important diaries that don't fit in any of these tags. Don't worry if yours doesn't.

You can add a private note to this diary when hotlisting it:
Are you sure you want to remove this diary from your hotlist?
Are you sure you want to remove your recommendation? You can only recommend a diary once, so you will not be able to re-recommend it afterwards.
Rescue this diary, and add a note:
Are you sure you want to remove this diary from Rescue?
Choose where to republish this diary. The diary will be added to the queue for that group. Publish it from the queue to make it appear.

You must be a member of a group to use this feature.

Add a quick update to your diary without changing the diary itself:
Are you sure you want to remove this diary?
(The diary will be removed from the site and returned to your drafts for further editing.)
(The diary will be removed.)
Are you sure you want to save these changes to the published diary?

Comment Preferences

  •  Use A Password Manager (13+ / 0-)

    Most people simply can't remember more than a few strong passwords, so they fall into bad habits of using weak passwords (bad -- an automated guessing program will break it easily) or using the same password everywhere (worse -- one breach and everything falls).

    The problem can be avoided by using a password manager; you only have to remember one master password. I use KeePass, which has versions for just about all platforms (including mobile devices) and is free; searching for "password manager" will turn up other options.

    On the Internet, nobody knows if you're a dog... but everybody knows if you're a jackass.

    by stevemb on Wed Aug 06, 2014 at 04:02:49 PM PDT

    •  Great suggestion Recc (2+ / 0-)

      May I add this as an update to my diary- I will credit you.

      "It is better to light one candle than curse the darkness." (Adlai Stevenson in praise of Eleanor Roosevelt) (Glowing Candle Avatar Adopted in 1986)

      by murphthesurf3 on Wed Aug 06, 2014 at 04:09:30 PM PDT

      [ Parent ]

    •  Roboform (3+ / 0-)

      works pretty well, also.

      1. Books are for use.

      by looty on Wed Aug 06, 2014 at 04:29:16 PM PDT

      [ Parent ]

    •  I added your insight so others could so it (2+ / 0-)

      hope that is ok.....it was so obvious and I missed it.

      "It is better to light one candle than curse the darkness." (Adlai Stevenson in praise of Eleanor Roosevelt) (Glowing Candle Avatar Adopted in 1986)

      by murphthesurf3 on Wed Aug 06, 2014 at 04:35:16 PM PDT

      [ Parent ]

    •  I use LastPass, but I have a problem with it (3+ / 0-)

      It remembers my passwords fine. But then the website I'm visiting changes the exact wording of its landing pages. For example, mail.live.com becomes mail.live.com/login. Then LastPass doesn't recognize to use the same login and password.

      Because of this problem, I also have to retain a copy of the password elsewhere so I know what to enter when the landing page changes.

      Stevemb, if you know the solution to this, I would be grateful.

      working for a world that works for everyone ...

      by USHomeopath on Wed Aug 06, 2014 at 04:49:02 PM PDT

      [ Parent ]

      •  I'm Not Familiar With The Details Of LastPass... (1+ / 0-)
        Recommended by:
        USHomeopath

        ...so I can only offer a few general suggestions. Does it have any way to open the password database for copying and pasting passwords (or viewing them, if the site won't allow pasting into the password field)? I'd think it would have to have some way to do that so that you can edit passwords when you change them.

        KeePass does occasionally stumble over the same issue, but it's more robust because it can be set to register a match if just the main-site portion of the URL is the same (e.g. "www.dailykos.com" will match "www.dailykos.com/users/sign_in"). Admittedly, there's a bit of a learning curve to climb if you need to do that sort of setup.

        On the Internet, nobody knows if you're a dog... but everybody knows if you're a jackass.

        by stevemb on Wed Aug 06, 2014 at 05:20:10 PM PDT

        [ Parent ]

      •  I am very happy with LastPass (5+ / 0-)

        If a site changes its login path (as you illustrated) I just go to my LastPass vault and find the password that was previously used on the site.  No worries, and a one-time inconvenience to log onto the new landing page.

        I swear by LastPass, and have it tied into all my devices -  PC, all my iThingies, and Android phone.

        •  thanks so much (2+ / 0-)
          Recommended by:
          Zadatz, stevemb

          I didn't realize I could do this.

          working for a world that works for everyone ...

          by USHomeopath on Wed Aug 06, 2014 at 07:36:00 PM PDT

          [ Parent ]

        •  I also recommend LastPass (2+ / 0-)
          Recommended by:
          stevemb, Zadatz

          Used it for many years. It has plugins for all the major browsers, so creating and inserting strong passwords is quite easy. But, yes, trips to the vault are sometimes necessary, with any service, I suspect.

          There is a free version which is adequate for most folks, including me, but I give them money anyway, because I use it so much. They also own Xmarks, a bookmarks manager, which is very handy to sync your bookmarks/favorites between machines.

          Oklahoma: birthplace of Kate Barnard, W. Rogers, W. Guthrie, Bill Moyers & Eliz. Warren. Home to proud progressive agitators since before statehood. Current political climate a mere passing dust cloud; we're waiting it out & planning for clearer days.

          by peacearena on Thu Aug 07, 2014 at 07:40:54 AM PDT

          [ Parent ]

    •  There are many out there... (1+ / 0-)
      Recommended by:
      stevemb

      I use "Password Safe" myself.  There is an Android version, so you can cut-and-paste complicated passwords on your phone instead of trying to type them.

    •  KeePass works for me! (1+ / 0-)
      Recommended by:
      stevemb

      Simple, straightforward.  All you need to do is remember your one masterpassword to get into it.  Open source means no back doors.

  •  I have 5,000 passwords and I would hate (3+ / 0-)

    to have just one. What if Password Manager is hacked?

    "Religion is what keeps the poor from murdering the rich."--Napoleon

    by Diana in NoVa on Wed Aug 06, 2014 at 04:51:27 PM PDT

    •  That's why you make your password mgr... (0+ / 0-)

      ...the strongest password you possibly can.  While no password is "unhackable", there are certain tricks of the trade that you can use to make it unhackable, for all intents and purposes.

    •  If you're really paranoid (1+ / 0-)
      Recommended by:
      blackhand

      you can use 2-factor authentication with many password managers, such as a hardware USB token, mobile phone text validations, or other similar mechanisms.

      I use Google authenticator with my Lasspass password manager, which makes me enter a constantly changing code from an app on my phone the first time I try and use Lastpass from any new computer.

      •  I keep my passwords in a text file (0+ / 0-)

        That is stored on a volume that gets mounted with Truecrypt.  In other words, the file that contains the passwords is embedded cryptographically within a much larger encrypted mess.  

        One other technqiue that I've used is to use GPG to encrypt documents, such as a password list, and place the private key on a USB stick that needs to be present to decrypt the file.  Then again, when it comes to computer security, I am paranoid and I don't use the same password in multiple locations.

        "It's not surveillance, it's data collection to keep you safe"

        by blackhand on Thu Aug 07, 2014 at 08:10:16 AM PDT

        [ Parent ]

        •  That's Basic Security, Not Paranoia (0+ / 0-)
          , I am paranoid and I don't use the same password in multiple locations.
          Using the same password on multiple sites is a gaping security hole -- when cybercrooks steal passwords, they try them at various banks, online stores, etc and save the ones that work. Anything that would cause trouble if the password leaked needs a unique one.

          On the Internet, nobody knows if you're a dog... but everybody knows if you're a jackass.

          by stevemb on Thu Aug 07, 2014 at 09:06:48 AM PDT

          [ Parent ]

  •  The problem with password managers is that (4+ / 0-)

    They can also be Hacked  It appears that a hard copy is safer. I have my hard copy abbreviated, so if it is stolen it won't be incredibly easy to access.

    Be bold. Be courageous. Americans are counting on you. Gabby Giffords.

    by Leftleaner on Wed Aug 06, 2014 at 05:23:19 PM PDT

  •  better yet, passphrases. full sentences. (6+ / 0-)

    Short passwords made of gobbledegook are easier to crack than passphrases that consist of plain sentences.

    Short passwords made of gobbledegook are also particularly bad for people with dyslexia and other visual impairments.  Think of wheelchair users being expected to go up stairways.  That ought to be illegal under ADA.

    We got the future back. Uh-oh.

    by G2geek on Wed Aug 06, 2014 at 05:28:55 PM PDT

    •  I like passphrases. (2+ / 0-)
      Recommended by:
      Cassandra Waites, blackhand

      I also like multi-layered authentication.

      But believe me, I deal with people having issues with their passwords every day (it's one of my jobs) and most people have a hard time with even basic password security, so don't want to be bothered.

      How hard is it to make DailyKos D@i!yK0s?  That's only 8 characters, but very difficult to hack.  Now, pair that with an 8 character RSA token generator to create a passphrase, and it's impossible to hack, for all intents and purposes.

      •  Information theory tells us that D@i!yK0s isn't (4+ / 0-)

        secure. It's way less secure than something like "My fish rode a green scooter." It's also very hard to memorize passwords like D@i!yK0s so people tend to use the same password on multiple sites. What we've done for the last 20 years or so with passwords is made them hard for humans to remember and easy for computers to break. That needs to stop. Now.

        GOP 2014 strategy -- Hire clowns, elephants, and a ringmaster and say "a media circus" has emerged and blame Democrats for lack of progress. Have pundits agree that "both sides are to blame" and hope the public will stay home on election day.

        by ontheleftcoast on Wed Aug 06, 2014 at 06:09:08 PM PDT

        [ Parent ]

        •  Obligatory xkcd (3+ / 0-)

          Password Strength

          "Explain xkcd" has some more extensive commentary on their page for this comic as well.

          On the Internet, nobody knows if you're a dog... but everybody knows if you're a jackass.

          by stevemb on Wed Aug 06, 2014 at 06:49:31 PM PDT

          [ Parent ]

        •  You're not paying attention (2+ / 0-)
          Recommended by:
          Cassandra Waites, blackhand

          D@i!yK0s isn't that particularly secure in and of its own (although it's not bad), but at least isn't subject to a dictionary attack.  My point was, perhaps poorly articulated, is that if you pair that with an 8 character token generator on 30 second interval, you have an unbreakable passphrase that's essentially equivalent to a one time pad.

          Your example requires spaces.  While very, very secure, most sites and even internal corporate authentication servers won't accept spaces.

          (By way of "authenticating" myself, I'm CSSIP and GIAC certified.)

          •  You could say any unusual brand name isn't (2+ / 0-)
            Recommended by:
            Zadatz, Cassandra Waites

            subject to a dictionary (or more correctly a word list) attack. But adding 10,000 common brand names (and that would include DailyKos) to the list of words wouldn't add a lot to the processing power required to break such passwords. The 8 characters of random goo would. But it gets back to the problem that people can't remember passwords like that so they write them down. Or use the same ones over and over and keep them for years. That's another thing, you should change your passwords every few months, at least as often as you change the batteries in your smoke alarms. And we need to get the damn IT community to allow spaces (and all punctuation) in passwords. It's not freaking rocket science.

            GOP 2014 strategy -- Hire clowns, elephants, and a ringmaster and say "a media circus" has emerged and blame Democrats for lack of progress. Have pundits agree that "both sides are to blame" and hope the public will stay home on election day.

            by ontheleftcoast on Wed Aug 06, 2014 at 07:36:38 PM PDT

            [ Parent ]

          •  What's your opinion of doing something (0+ / 0-)

            like interlacing a memorable number with a memorable name to make an easily remembered password?

            Like if I interlaced the house number on the street where I lived in 5th grade with the name of with the street that the house was on; or interlacing a former phone number with the name of a favorite movie star? ... how crackable is something like that?

            Example: (and just an example ... nothing personal to see here)  1m2a3i4n5s6t; interlacing 123456 and Main St.

            Just curious.

            ¡No más no me chingan!

            by dobleremolque on Wed Aug 06, 2014 at 11:21:05 PM PDT

            [ Parent ]

  •  give Russia an ultimatum: (5+ / 0-)

    Eradicate their national infestation of cybercriminals, or the world will cut off Russia's access to the internet.

    Quarantine.

    We got the future back. Uh-oh.

    by G2geek on Wed Aug 06, 2014 at 05:32:05 PM PDT

    •  They could say the same about the NSA (5+ / 0-)

      We need to take that beam out of our own eye first. And if this data breach was pulled off by a dozen hackers in 6 months what percent of the username/password combos do you think the NSA has? 99.9% or only 99%?

      GOP 2014 strategy -- Hire clowns, elephants, and a ringmaster and say "a media circus" has emerged and blame Democrats for lack of progress. Have pundits agree that "both sides are to blame" and hope the public will stay home on election day.

      by ontheleftcoast on Wed Aug 06, 2014 at 06:11:35 PM PDT

      [ Parent ]

      •  Another Way The NSA's Actions Damanged Us (4+ / 0-)

        We've lost the credibility we need to shame and pressure bad actors.

        Worse, it's possible (if not downright likely) that some of these cybercrimes use tools collected and created by the NSA -- if one person could get into their secret files to publicly blow the whistle on them, then another person (or any number of them, really) could have gotten into their secret files to privately exploit their bag of backdoor-access tricks.

        On the Internet, nobody knows if you're a dog... but everybody knows if you're a jackass.

        by stevemb on Wed Aug 06, 2014 at 06:54:37 PM PDT

        [ Parent ]

      •  The NSA spying has made things worse, a lot worse (1+ / 0-)
        Recommended by:
        stevemb

        By incorporating the back doors into security hardware and software, they have created an avenue that will be exploited.  

        "It's not surveillance, it's data collection to keep you safe"

        by blackhand on Thu Aug 07, 2014 at 08:14:20 AM PDT

        [ Parent ]

    •  Oh, Gods no... (0+ / 0-)

      You're asking for SOPA on a global scale.

      "It's not surveillance, it's data collection to keep you safe"

      by blackhand on Thu Aug 07, 2014 at 08:13:20 AM PDT

      [ Parent ]

  •  Kossack check-in (4+ / 0-)
    Recommended by:
    Birdman, TracieLynn, stevemb, sunbro

    Everyone whose passwords haven't been compromised, please post your user IDs and passwords here so we know you're safe!

    It's not the side effects of the cocaine/I'm thinking that it must be love

    by Rich in PA on Wed Aug 06, 2014 at 05:40:10 PM PDT

  •  Username:ruskiepatsy (1+ / 0-)
    Recommended by:
    sunbro

    Password:totallyfu*!ed

    A drowning man can not learn to swim. -- Chris Lonsdale

    by Rikon Snow on Wed Aug 06, 2014 at 05:50:35 PM PDT

  •  Not quite armageddon (2+ / 0-)
    Recommended by:
    Demi Moaned, blackhand

    Based on the article, they just stripped information from databases (seriously, anyone who hasn't protected their site from SQL Injection deserves to go out of business; it's been known about for 20 years).

    The passwords are hopefully hashed and salted before being stored; that means that anyone using a strong password would likely be safe.  The issue is if any of these companies just did basic MD5 hashes or [shudder] stored passwords in plain text.

    Odds are, most people are fine.  Certainly any reputable site should be fine (banking, major news, etc.).  This is likely mostly coming from smaller sites or foreign sites that don't heed security measures.

  •  Warning (4+ / 0-)

    Don't take all warnings at face value (including this one).

    I don't disagree with the solid practical computer housekeeping ideas presented by anyone here. One of the things I need to do is start using a password manager myself.

    Still, we may not know the whole story of the claimed 1.2B stolen passwords.

    If Hold Security is inflating the risks people are potentially facing here their corporate officers belong in jail.

    If your strategy depends on having fewer people show up to vote, that is not a sign of strength. That is a sign of weakness. President Obama

    by Had Enough Right Wing BS on Wed Aug 06, 2014 at 06:10:41 PM PDT

  •  i changed my bank password and paypal (3+ / 0-)
    Recommended by:
    stevemb, side pocket, ladybug53

    but i don't care if they get my password to daily kos!

    Politics is like driving. To go backward put it in R. To go forward put it in D.
    Drop by The Grieving Room on Monday nights to talk about grief.

    by TrueBlueMajority on Wed Aug 06, 2014 at 06:49:12 PM PDT

  •  I use the prefix + suffix approach (0+ / 0-)

    I have a prefix phrase that begins every password that is deeply personal. Then I have a simple, memorable code that I use that incorporates the domain name of the site in question.

    That makes every password memorable, personal, and unique.

    Seems to work for me. Your mileage may vary.

    Almost everything you do will seem insignificant, but it is most important that you do it.

    by The Termite on Thu Aug 07, 2014 at 07:58:23 AM PDT

  •  Here's another recommendation for password manager (0+ / 0-)

    Password Safe by Bruce Schneier.  

    Password Safe is now an open source project. As of July 27, 2014, the latest Windows version is 3.34. A Linux version is currently in beta. To download the program, or for technical support, please visit its Sourceforge page.

    Password Safe protects passwords with the Twofish encryption algorithm, a fast, free alternative to DES. The program's security has been thoroughly verified by Counterpane Labs under the supervision of Bruce Schneier, author of Applied Cryptography and creator of the Twofish algorithm.

    "It's not surveillance, it's data collection to keep you safe"

    by blackhand on Thu Aug 07, 2014 at 08:17:06 AM PDT

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site