Russian theft of 1 billion US passwords

I have been asked about the recent Russian theft of at least 1 billion US user names / passwords.
http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html?_r=0

Additionally, this information was released by Bloomberg tonight, specifically pertaining to banking…
http://www.bloomberg.com/news/2014-08-27/fbi-said-to-be-probing-whether-russia-tied-to-jpmorgan-hacking.html

I don’t have specifically actionable information like I did for you back in April with the Heartbleed bug.

However, I will go back to sound advice that I have given before, albeit slightly refined and simplified

1. You should be changing your passwords at least every 6 months and sooner if you have been notified that the site has been compromised.
2. At a bare minimum, you should be creating randomized passwords using a random character generator such as http://www.random.org/passwords/ (with numbers and letters — at least 8 characters long — ideally 12 to 16). I have printed out sheets of 10 random passwords for clients over the past few months. I would be happy to do so again via postal mail or at our next appointment.
3. One step up from that method is to use the Google Chrome browser because it utilizes a secure password manager, backed up and encrypted with your Google account. Some of you have started using this method for password management. Ideally…..
4. You will use a dedicated password manager that has both computer and smartphone / tablet interfaces. Examples are Last Pass, 1Password and Robo Form. I personally use both LastPass and 1Password; I support these two programs with clients. 1Password costs around $50. Last Pass is free for computer use only and $12 per year if you want to be able to look up and use your passwords on a mobile device.

Advertisements