What the heck is a password honeypot?

Has your Gmail, Yahoo, Hotmail or Skype account ever been hacked? If so, you either have an extremely guessable password, or you gave hackers your login credentials by putting them into a password honeypot. What the heck is a password honeypot? Good question. Let me give you a bit of background.

The good guys who fight malware set up servers and computers that are directly connected to the Internet and which are deliberately left vulnerable to malware infection. They do this knowing that the bad guys will infect the machines as soon as they find them. The good guys then have an in-the-wild copy of the malware that they can reverse engineer to see how it works. This is the good version of a honeypot.  All of the major anti-malware companies continually monitor their honeypots to discover new malware and variants of old malware.

The bad guys want to hack you and steal your credentials so they can gain access to your accounts for nefarious purposes, such as sending spam, stealing the money from your bank accounts, hijacking your credit card numbers, or even stealing your identity. Besides other, more conventional methods such as email links and poisoned search results, the bad guys set up websites that pretend to give you access to good stuff, often free software, games, etc, and force you to “create an account” to gain access. This is the bad version of the honeypot.

The bad guys know that most people always use the same login name for everything and often also use the same password for everything. Create an account on one of these password honeypots, and there’s a good chance the bad guys have what they need to make your life miserable. Once they have the credentials you used to create the honeypot account, the bad guys (or their hired cronies) will try those credentials on all of the major email, social networking, banking, and credit card sites.

This is one very good reason never to use the same password on more than one site; and, certainly never use the same credentials ad your financial accounts. I have a very specific username for certain types of sites I don’t trust and I always use an unguessable, different password for each one.