As Featured in ENTREPRENEUR MAGAZINE, March 2011

It should not surprise you that a LOT of online sites are tied together.

In November 2010, Gawker.com was attacked, and their entire 1.3 million user database was made public. Gawker owns about a dozen major websites (Gizmodo, Lifehacker, etc).

In a similar vein, Anonymous infiltrated HBGary, an IT Security firm that was targetting Julian Assange and WikiLeaks. How did Anonymous defenestrate HBGary? Through some basic social-engineering techniques and because the management team at HBGary made a FUNDAMENTAL MISTAKE – they used the same password(s) for everything – email, twitter, facebook, DNS, etc.

Don’t make the same mistake!

A few lessons learned/taught:

1) The attackers were after Gawker’s CEO — his password is 24862486

2) The hackers also determined that he used it on twitter, and other sites

“You would think someone like Nick Denton who likes to run his mouth and taunts such an unforgiving mass like Anonymous, would use a more secure password than ’24862486,’” they write elsewhere. “The sad thing is he probably believes this password is ‘secure’ because he likes to use it everywhere!”

– from http://www.theregister.co.uk/2010/12/13/gawker_hacked/

3) Most importantly, if you saw a HUGE influx of spam on twitter this weekend, it’s because some one decrypted the gawker users database, and logged in as them on twitter.

We know from experience that people tend to use the SAME PASSWORDS everywhere.

I STRONGLY urge you to maintain separate passwords, and to change them regularly.

Otherwise, a break in one location, can compromise your identity everywhere else.


Here’s a trick/technique I use to train executives in picking great passwords:

1) Pick a line from a song or a book

e.g.

Somewhere Over The Rainbow Bridge

2) Pick the 2nd (or 3rd or 4th) letter from each word.

e.g

2nd letter: ovhar

3rd letter: meeni

3) Pick a BASE password – e.g. OVHAR. Add numbers and special characters (!, @, #, $, %, ^, &, *, (,), 1-0), between the letters:

o$v$h$a$r

o$v#h@a$r

o@v#h$a#r

4) For dealing with websites, use a different base, and incorporate the website name in your password:

e.g.

BASE: MEENI

websites: EXPEDIA.com, EBAY.com, PAYPAL.com

sample passwords:

m!e@e#n^iEXPEDIA – with site name at the end

m!e@EBAYe#n^i – with sitename in the middle

m!e@PaYpAle#n^i – with sitename in the middle, mixed case

Any of these passwords are extremely difficult to crack, easy to remember.

TIP: Use DIFFERENT bases for different areas of life:

e.g.

BASE1 – work credentials (office desktop, office email, etc)

BASE2 – home credentials

BASE3 – websites

BASE4 – Online banking

or, at minimum:

BASE1 – home, work, web

BASE2 – online banking

 

We know from experience that people tend to use the SAME PASSWORDS everywhere.

I STRONGLY urge you to maintain separate passwords, and to change them regularly.

Otherwise, a break in one location, can compromise your identity everywhere else.