Ten Ways to Dodge Cyber‑Bullets (Part 4)

[Part 4 of an occasional series, updating a blog series I ran in early 2009 to reflect changes in the threat landscape. This series will also be available shortly as a white paper.]

Good Password Practice

Use different passwords for your computer and on-line services. Also, it’s good practice to change passwords on a regular basis and avoid simple passwords, especially those that are easily guessed.
It’s debatable whether enforced frequent changes of hard-to-remember passwords are always constructive (they can force the user to write down passwords, for example, which may well swap one security problem for another).

However, you should certainly be aware that if some miscreant guesses or cracks one of your passwords, using different passwords for other services and for your system passwords drastically limits the damage that he can do.

If, on the other hand, you use the same password for different accounts, you run the risk that one lucky guess will give the cracker the keys to the kingdom. Indeed, it’s likely that one of the reasons that quite trivial accounts are sometimes phished is that they give a cracker a headstart on guessing the password for other, more profitable accounts.

You might find this paper by David Harley and Randy Abrams on good password practice useful: http://www.eset.com/download/whitepapers/EsetWP-KeepingSecrets20090814.pdf.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macviruscom.wordpress.com/