bad passwords and skype spam: a simple risk reduction technique

Recently we’ve been seeing a lot of ‘baidu/…’ links sent via compromised skype contacts.

What is happening here is not malware. Instead, your password is known and someone has logged into the web interface to use it.

How did your password become known? Recently dropbox was compromised, as was yahoo, and many other large sites. And, its likely, that you have used the same password on more than one site. <strong>DO NOT DO THAT</strong>. But you say, I cannot remember all of them, what am I to do? Well, there is a simple technique to reduce your risk.

Step 1. Pick 3 passwords (high/medium/low).
Step 2. On each site or service you use, assess your exposure if it becomes known. Put it in one of those three categories.
Step 3. For each site, set the password as {high|medium|low}-sitename

OK, so lets give this an example. I use RBC, paypal for banking. Lets assume my ‘high’ security password is “goose”. So i would use goose-rbc, goose-paypal. Now lets assume I use github, a dns-registration system, dropbox. I assign these ‘medium’ and my medium password is “beaver”. So it would be beaver-dropbox, beaver-dns, etc. Lets say I have some ‘low’ accounts, e.g. feedly. If my ‘low’ password were ‘squirrel’, then i would have ‘squirrel-feedly’. Now i only need to remember 3 things (goose/beaver/squirrel) no matter how many sites.

Now, lets assume dropbox gets hacked again. Well, its not people going through this list. They take my username + ‘beaver-dropbox’ and try to supply it to RBC, it fails.

Of course you should always use 2-factor authentication when you have the opportunity, but not everything got the memo.

The current issue we are seeing is not a vulnerability in Skype, its a vulnerability in the users. It can just as easily be happening on other services **AND YOU WOULDN’T KNOW**. E.g. if your Skype sent spam, you are embarrassed. But the same agent that did that might be spending your money right now from your bank and you wouldn’t know. So, again, <strong>NEVER USE THE SAME PASSWORD ON 2 SITES</strong>.

A lot of people say, oh, use special-symbols etc. This really doesn’t help, its not dictionary attacks used here. Neither does rotating the passwords over-frequently. This just leads to writing them down.

Of course there are tools (lastpass et al) that can help this problem out a lot. But the above technique is strong and simple, feel free to use it and share it with your friends and family.






Leave a Reply

Your email address will not be published. Required fields are marked *