Email security has been a hot topic as of late, with last week’s news of a supposed breach of 272 million email usernames and passwords and recent statements made by a hacker who claims to have accessed Hillary Clinton’s private email server two years before the private server’s existence was first reported by the New York Times. In the latter story, the hacker known as “Guccifer” claims he correctly guessed Clinton confidant Sidney Blumenthal’s AOL password and used the hacked email account as a stepping stone to Clinton’s private email server.
These stories highlight the fact that weak passwords continue to be the entry point of choice among hackers and cybercriminals. A weak email password can easily be guessed or even cracked by password-cracking tools that are freely available online, providing hackers access to all the victim’s emails, which can in turn compromise other accounts and sensitive information.
To help shore up what could be the biggest threat to your online security, here are ten best practices for your online passwords:
- Do not use passwords based upon personal details that can be easily discovered, such as birthdate, social security number, phone number, or a family member’s name.
- Do not use words that can be found in the dictionary. Password-cracking tools routinely use dictionary lists to try to crack passwords.
- Do not use the word “password” as your password. (Many still do!)
- Try not to use “!”, “1” or “9” when required to add a symbol or digit, as these are easily guessed by hackers.
- Create unique passwords that use a combination of words, numbers, symbols, and both upper and lowercase letters.
- Avoid using adjacent characters on a keyboard. For example, “qwerty”, “asdzxc”, and “123456” are very easy to crack.
- Length is key. These days, it’s very affordable to build powerful and fast password cracking tools that can try tens of millions of password combinations per second. Each character you add to a password makes it an order of magnitude more difficult to crack via brute force methods.
- Avoid using the same password at multiple websites. It’s generally safe to use the same password at sites that do not store sensitive information about you.
- Do not use your email account password at any online site. If that site is compromised, your email account will also be compromised.
- Do not store your password list on your computer in plain text. Either write your passwords down (and keep them out of view) or use a local password storage program, which can protect all your passwords with a single master password.
As in the “whaling” or BEC attacks RPost has discussed in the last few weeks, a single compromised email account can provide a cybercriminal with the valuable social cues and background information they need to perpetuate a successful and highly profitable cyberattack. Yet, besides monetary incentives, it is also believed that many hackers hack online accounts for bragging rights or out of a need to feed their egos. In last week’s case involving the 272 million email accounts, the hacker allegedly offered to sell account credentials for just 50 roubles, or less than $1, and eventually agreed to trade the information in exchange for favorable comments posted on an online hacker forum.
A strong password strategy is essential to maintaining email privacy, but it’s also just the beginning. To maintain email privacy when sending sensitive or personal information, you need to use an email encryption service. RMail contains an easy-to-use email encryption feature that provides true direct delivery of encrypted emails and does not require recipients to install any software or register for any accounts. Learn more about RMail at http://www.rmail.com.