The recently-discovered "Heartbleed" bug affecting as much as two-thirds of the Internet is causing people to hurriedly change passwords and further secure online personal information.
A variety of websites have found bug-related security vulnerabilities which affect sites employing OpenSSL, an open-source encryption technology that typically indicates personal information is safe with a lock icon in the web browser.
Merrill Warkentin of Mississippi State University said Friday [April 11] that choosing strong passwords is among the best proactive steps for minimizing vulnerability to identity theft.
"Never select a word that can be found in a dictionary," the information systems professor advised. Instead, he recommended three objectives for choosing strong passwords: make them hard to guess, hard to figure out and hard to "shoulder surf," meaning not easily observed by someone looking over your shoulder.
"If it's an obscure sequence of characters instead of a regular word, they are not going to be able to figure it out," he said.
Warkentin said users should think in terms of a "pass phrase" rather than a password. Personal phrases that may easily be remembered can become a hard-to-guess password when using the first letter of each word.
As an example, he said a phrase like "I started to work in 2008," could become the password "Is2wi2008." He said it is best to use a combination of upper and lowercase letters and numbers. If you add an odd character or symbol, the password becomes even stronger, he said. A true strong password must contain at least 14 characters, including numbers, upper and lower-case letters, and special characters.
Warkentin teaches students in his information systems classes at MSU to think of phrases personal to themselves, such as lyrics to a favorite song that they will find easy to remember, but others would have difficulty guessing.
Even if they are "strong," some passwords still may be compromised because of security breaches like Heartbleed, Warkentin said. It is online attacks and vulnerability discoveries that illustrate the importance of having unique passwords for the most sensitive information instead of using the same passwords repeatedly across the Internet.
"I would not reuse your bank or brokerage password anywhere else; I would make that a one-of-a-kind," he said, noting that if a hacker gains password information at one site, he may then go to other websites and try the same passwords to gain access to additional accounts.
While the most sensitive information needs the highest standards of security, Warkentin said many other websites which require login information are much less of a security concern because less personal information is at risk. He used as an example that some newspapers require login information before giving access to news articles, but they don't store sensitive personal data.
"It helps if people can think about information in terms of the risk of harm," he said.
"If someone logs in as you on a website, can they hurt you?" he continued. "If it's your bank or your social media account, the answer is yes. On other sites, there is less at stake if the only power they have is to change your news preferences, for example, without gaining any real personal data."
Warkentin advises using different passwords for different websites, but one good tip is to create a strong base password, like the "Is2wi2008" example, but make it unique to various websites by using add-ons. He said an adaptation to the example could be using "Is2wi2008Amz" for shopping on Amazon.
"Then they're all about the same, and they're strong, but they're also unique because of those last two or three characters," he said.
Some other tips shared by Warkentin include:
--If it is necessary to write down passwords, it is critical to store them in a safe secure location. "Don't write it on a sticky note by your monitor," he said.
--Utilize more than one authentication method for the most sensitive data. "The best security is when you use two-factor authentication; it's much safer because when someone gets your password, they still don't have everything they need to gain access."
--Request higher levels of security for accounts that many banking systems offer. Higher security usually involves an additional challenge question for accessing information via telephone, so clients can't just verify their basic information like ID number and address.
Because of Heartbleed's potential impact, Warkentin implored users to immediately change passwords at websites holding credit card, health or other personal information not to be shared--and also their social media and email platforms.
For more information about Mississippi State University, see www.msstate.edu.