Posted by: Ken Harthun
security awareness, Security policy, Security practice, Web 2.0 Security
Far too many people use weak passwords and then use the same weak passwords over and over again on the Web. Using a weak password is bad enough; using it in more than one place is lunacy. The worst place for a weak password is your electronic banking site, of course, but using one any Web 2.0 site can also put your personal information at risk. Let’s take Twitter, for example.
Most people probably wouldn’t think of Twitter as a sensitive site, but recall the previous article about impersonation. Compromise a Twitter password and you can easily pose as the account holder. You could then wreak all manner of havoc on the person’s reputation not only on Twitter, but on every site where the account is linked. Recently, someone managed to get hold of my Twitter password when I tried one of those “get follower” services that someone else recommended. Fortunately, all the thief did was spam messages about their “service,” but there were a few hours there where it appeared I was guilty of spamming. I lost quite a few followers and had to deal with a barrage of questions from my friends on other networks.
Twitter management is aware of the importance of strong passwords and will not allow you to set up an account with any of 370 commonly used weak ones. The list is right there in the source code of the sign up page if you care to look (view source and search for “banned passwords”); you can also see them in The Washington Post article “370 Passwords You Shouldn’t (And Can’t) Use On Twitter.” If you’re guilty of using any of those, change them immediately.
Here are some good policies to put in place:
- Use strong passwords on all Web 2.0 sites
- Do not use the same password more than once anywhere on the Web.
- Particularly on Twitter, do not input your password into any third party site you are not absolutely sure is trustworthy
- Periodically change your password