Another Important Password Management Reminder Courtesy of 8,000 Comcast Customers

      by Wyatt Walter

Today news reached the media that Comcast had a list of over 8,000 usernames and passwords in a publicly accessible directory on a web server. The file apparently had been accessible for months and had been viewed 345 times and downloaded 27 times before someone notified Comcast. The list was discovered by a professor in Pennsylvania named Kevin Andreyo after reading an article on using search engines to dig up secrets about people. Andreyo decided to search for his email address, discovered the list and turned it in to Comcast and the FBI. Comcast has released a statement saying that the number was more like 4,000 accounts that had been compromised due to the list having lots of duplicate entries.

Regardless of the number or severity of the exposure, the fact is that lots of people had their username/password combinations stolen. A very large amount of people use the same password for all of their accounts as well as never, ever change their passwords. That means that this problem most likely exposed a large number of peoples’ bank accounts, email accounts, or other online accounts. As we become more and more dependent on online services, password management becomes very important.

While you can’t prevent your passwords being exposed in this way, there are some tips you can do to prevent your online accounts from being broken into:

Don’t use the same password for multiple services

This can be unmanageable for some without the use of a piece of password management software, which is a religious debate that I’m not going to get into here. Even having a set of 3 or 4 passwords that you use can help to minimize exposure should an event like the Comcast issue take place.

Use a complex password

Now, this won’t help you in this case when the password is listed in plain text, but if your password is not easily guessable, it won’t be subject to simple dictionary attacks.

Don’t use a guessable password

Often, in IT security, attacks come from within an organization. Someone who knows you very well is most likely to want to be breaking into your account than someone who doesn’t and they are a much more likely candidate to guess your password. Be sure not to use a simple word or phrase that a lot of people close to you would be able to guess.

Change your passwords frequently

In the case of the exposure today, changing one’s password is a quick and simple fix to ensure that an attacker won’t break in. It’s also important to keep changing your passwords if your passwords are particularly vulnerable to brute-force attacks. A lot of web services and SSH servers are not setup properly to stop a brute force attack. Also, a compromised system can have passwords contained on it cracked over time without the owner having any idea.

While these steps certainly don’t guarantee one’s security, they are a great step to protecting your identity and personal information online. While none of these are any sort of rocket science, often they are left undone even by those who work in the security field.

Tags:
Filed under How-Tos / Tips : Comments (1) : Mar 16th, 2009