Yes, you can definitely develop a negative attitude towards the "2nd tier" sites and their security systems. At least now people are telling you waht is happening, but in short over the last two months four of my accounts have been compromised. Which means that people got my email and the encrypted password which they can then take and use a zillion bots and break in seconds per password. Thank goodness lastpass.com now monitors these notifications for you.
If you use the same password for multiple accounts (like google or facebook), then you are screwed, so here is what to do:
- Goto http:lastpass.com/adobe and type in your email and see if you are on the list. Change the password and try to find unique passwords for every site that you have.
- There is a tradeoff between fewer passwords (eg using Facebook Connect) and a much wider breach if that main account is hacked.
- There are password loggers like Lastpass or Apple, but of course if they are hit, then what are you supposed to do.
- Finally, there is the NSA and all their vacuuming schemes.
So here is what I do:
- Password rotation. Change passwords once a year. It is a pain, but at least it means that sites I use a lot get rotations.
- Password Manager. I do use one, but I've been thinking about that too. It is just dangerous because password managers have your secret keys and anyone (eg a hacker or any government) can get access either by these find the admin and hack the account or just going to the FICA court and getting all of it. In the end some sort of "zero knowledge" scheme where you keep an encrypted file for yourself that no one else can get to might be right. 1Password seems to be the best of the bunch now as they are open source and they don't have any secret keys (but I've had trouble using them).
- Per site passwords. This is a tricky one, but you want passwords that are unique for every site and every account that you have (think multiple google acocunts). Ludwig taught me a trick here which is to salt some complex scheme with something about eacy site and each account.
- Longer is better. It takes more to type, but something that doesn't use common words (eg vulnerable to dictionary attack) and uses special characters is better.
Anyway off I go to fix this. What I normally do is:
- Change the password for each account hacked
- Then change all my commonly used passwords to a new scheme, so even if they figure out the scheme from the hack, it doesn't help.
- And yes, it means hugely long passwords, but there is no real helping that. You should feel good if the site says, too many characters 🙂
- Find a safe place to put them all, encrypt that and hope you never forget that key.