Whatever you may feel about independent "hactivist" groups such as Anonymous and LulzSec, they are good at what they do. In the past few weeks members of these two groups have claimed responsibility for a number of data theft incidents, including the recent theft of more than 1 million user names and passwords from the Sony pictures web site. They then post these stolen names and passwords on message boards and ordinary web pages for anyone to see. In one case, after publishing the user names and passwords to more than 26,000 users of Pron.com (a pornography web site), LulzSec recommended the following mischief:
These guys probably sign into Facebook with the same email/pass combo, so we suggest the following:
1) sign into their Facebook accounts
2) find their family members
3) tell them all about how the victim (you!) signed up to porn sites
4) watch the hilarity
5) tell us about it on twitter!
Is your email address listed in any of these databases? The New York Times reports on a easy-to-use web tool that a security professional has created that will check your email address against 13 different databases containing 800,000 email address/password combinations. Called, appropriately, "Should I Change My Password?", the site runs a simple search for your email in the known files. I checked my various emails, and fortunately, the tool didn't turn up anything amiss. But the site also gives some very solid advice: Change critical passwords regularly, and don't reuse the same password across multiple sites.
This is something we're very bad at. A recent report found that more than 75 percent of users use the same password for social networking sites and email—a huge risk in case one of those sites falls victim to nefarious figures.
If you find daunting the idea of creating separate passwords for all of the dozens of online accounts you need to maintain, take the advice of Christopher Mims over at the Technology Review blog: Set up four or five passwords, using one for all the low-security sites, another for any site that also has your credit card number, another for social networking, another for email, and the most secure for your banking sites. Sleep better.
Image credit: OperationPaperStorm on Flickr