bogus emails looking for money

Benjamin Scott dragonhawk at gmail.com
Tue Apr 27 16:22:30 EDT 2010


On Tue, Apr 27, 2010 at 3:21 PM, Ken D'Ambrosio <ken at jots.org> wrote:
> I, myself, got bitten by that using what *I*, at least,
> thought was a fairly esoteric password.

  If you're still using a passWORD on today's Internet, you're already
in a very high risk category.  Using an English word for a password is
supposed to be roughly equivalent to using "12 bit encryption" or
something like that.

  I recommend complex passphrases, minimum 15 characters in length,
containing a mixture of upper- and lower-case letters, digits, spaces,
and punctuation.

  Generally speaking, a phrase like "Ben eats purple paperclips?
Why?" is much easier for people to remember than a shorter but
completely random string of random characters, and just about as
strong.

  *NEVER* use the same password on more than one system.  A lot of
people use the same password everywhere, or have a "system" they use
to derive passwords formulaically.  This is a very bad idea.  Systems
get compromised and password loggers installed all the time.  Now one
compromised account becomes *all* your accounts.

  In most cases, changing your password frequently is not worth it.
Far better to use strong, unique passwords.

  *NEVER* use anything but a trusted terminal to log in to a website.
That means "Internet cafe" computers, public library computers,
computers belonging to friends/family, etc., are all out.  Unless you
have very strong evidence to the contrary, you should assume every
computer you encounter is compromised.  Because it probabbly is.

  (The above applies to assets actually worth protecting.  I use cheap
passwords on some sites (mainly message boards I've had to log into
once) simply because I don't care if my account is hijacked.)

-- Ben


More information about the gnhlug-discuss mailing list