Protect passwords from hackers

December 18, 2011 at 12:00a.m.

More than half of U.S. adults have six or more password-protected accounts online, a recent Consumer Reports survey shows. Who can remember all those passwords?

You try by keeping them short and sweet: your pet’s name and “123.” You use the same one for multiple accounts. And you keep them in your wallet for easy access.

You’re not alone. In CR’s survey, conducted in October by the Consumer Reports National Research Center, 32 percent of respondents used a personal reference in their passwords, almost 20 percent used the same password for more than five accounts, and 23 percent kept a written list of passwords in an insecure place.

Trouble is, such practices leave you, and your accounts, vulnerable to hackers.

Your chances of having a password stolen on a given day are probably slim, but the risk is real and growing. To understand why, you need to know how today’s hacker works. No, he doesn’t sit in a basement, attempting to sign into your account by pounding away at a keyboard until he stumbles upon your password. Most likely, he breaks into an insecure website that has many passwords on file, including yours. Then he finds out many of those passwords using highly sophisticated password-cracking software and a souped-up computer.

Here are the most important password-protection measures that experts recommend to keep hackers at bay:

Don’t use the same one twice. If a hacker obtains a password you use from one site, he’ll have access to your other accounts. To make passwords easier to remember, it’s OK to use a similar character pattern from site to site, varying part of it in a way that’s intuitive to you but not obvious to anyone else.

Make them strong. CR’s survey found that 29 percent of people who use passwords on their most sensitive accounts use one with seven or fewer characters. That’s too short. Use at least eight characters. Include an uppercase and a lowercase letter, plus a digit and a special character.

Making a password longer also helps when it’s protected by hashing, a secure storage technique that makes hackers work to convert the stolen data into usable passwords. Using a hacking-time spreadsheet developed by Robert Imhoff-Dousharm, information security officer at SanDisk, CR estimates that it typically would take a computer 21/2 hours to crack the strongest seven-character password. An eight-character password would hold up for about 10 days, and a nine-character password would last for approximately 21/2 years.

Avoid the obvious. Hackers have extensive dictionaries of widely used passwords. When you’re composing a password, don’t use common words, names or facts from your life that likely are to be in such a dictionary or that someone might guess or find out (e.g. birth date, child’s name). Avoid predictable patterns, such as starting with an uppercase letter.

Keep them safe and up-to-date. Don’t write down full passwords. But if you must, keep them under lock and key. Based on the survey results, CR projects that 34 million adults keep a list of passwords or clues in a place that might be insecure.

Experts told CR they stored their lists on an encrypted flash drive, used an online service such as LastPass (www.lastpass.com), or stored them encrypted on a computer using KeePass (www.keepass.info), a data-protection application. Hackers can be quite skilled at conning people into disclosing their passwords. Don’t give passwords to anyone over the phone, via email or through a social network.

Secure your computer and browser. Keyloggers and other malware are a real risk, especially on publicly accessible computers. Keep your operating system and major applications up-to-date. Run an effective security software suite that updates itself automatically.