How Your Favorite Song Lyrics Can Protect Your Identity


What if someone told you that you could use some of the words from your all-time favorite song as your password? Not only that, but that it could actually be as effective as some difficult-to-remember imbroglio like Ge0rg34m@gr!|| — you know, something like what your IT department sends you as a start-up password.

Would you doalittledancemakealittlelovegetdowntonight?

If your answer is yes, yes, you would do a little dance … and get down tonight, good news! A recent study by some really smart people at Carnegie Mellon University found that the use of long, sentence-like or phrase-like passwords like the one above is increasing among people looking for easier-to-remember passwords. Not only that, but it could be “a promising user authentication mechanism.”

The really smart people, otherwise known as researchers, looked at the role of “grammatical structures underlying such passwords in diminishing the security of passwords.” Or in layman’s terms, they questioned whether they were easier to hack than the letter-number-symbol jumbles we’re all so familiar with. The answer was no, not really. It turns out that hacking programs find a lengthy password almost as difficult to crack as a seemingly random one.

The researchers went into the study viewing text-based passwords involving a trade-off between usability and security. “System assigned passwords and user-selected passwords subject to complex constraints (e.g. including mixed-case, symbols and digits) are harder to guess, but less usable,” the researchers wrote. “Conversely, simple, memorable user-selected passwords offer poor resilience to guessing.”

In order to find a compromise, researchers and organizations have begun recommending the use of longer user-selected passwords with simpler composition.

The idea isn’t particularly new. Security pros have been using similar passphrases for years, albeit somewhat differently. This trick takes a sentence and then uses the first letter of every word. For example: “I love pizza 3 times a week″ would be ilp3taw. You can be really clever and add capital letters and a special character or two, like iLp3T@w.

“If one could use biometric encryption, that’s certainly better, but even biometrics have been spoofed,” said Adam Levin, co-founder of and author of “Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves.” “But in situations where biometrics are not available, a passphrase is probably a better option than a typical password.”

Also, with a phrase, you could create a variety of different passwords out of that single phrase, Levin explained. Add a couple of letters in the front for a particular website and a couple of numbers in the back, and you can have a different password for every site, all of which will be fairly easy to remember.

“Also, there’s less tendency to use an overly simple or flat-out bad password like ‘password’ if you use phrases,” Levin said.

It’s also important to remember that a significant percentage of identity theft occurs among family and friends, Levin warned, so “if it’s a phrase you use frequently that someone could guess, it’s probably not a good option.”

As the really smart people at Carnegie Mellon wrote: “More research is necessary to fully understand the effect of structures on long passwords,” but they’re definitely worth considering to keep your accounts secure.

Remember, identity thieves can strike at any time. To guard against identity theft, it’s important not just to keep your passwords or passphrases strong and secure, it’s also wise to monitor all of your financial accounts on a regular basis, as well as your credit. If an identity thief has stolen some of your information to open a new account in your name, it will impact your credit scores.

You can monitor your credit scores for free twice a month on Any unexpected changes in your score could signal identity theft, and you should pull copies of your credit reports (you can do that for free once a year) to investigate further. Acting fast can help protect your credit and your finances.

Image: PeopleImages

The post How Your Favorite Song Lyrics Can Protect Your Identity appeared first on

7 Steps to Safer Passwords for All Your Online Accounts


Some passwords are funny. Some are pretty weird. Some can be a math problem. Many can be laughably easy to hack (I give you “dadada, ”“qwerty,” “password” and”123qwe” to name a few.) — or very tricky. But one thing is for sure, they are never really 100% hack proof.

Earlier this month, news broke that a significant number of Twitter passwords had been compromised and were being offered to anyone willing to fork over 10 bitcoins, or roughly $6,700, as of this writing. More than 32 million users were included in the cache of information on the cyber creep auction block. Hacked information database Leaked Source said in a blog post that it received the data set from a user under an alias.

Your Information Is Out There

The first takeaway: Anyone can scavenge and rumor-chase to find purloined login credentials. The second: You are not safe, and identity-related crimes are the third certainty in life, right behind death and taxes. (You can monitor your credit for signs of identity theft by viewing two of your credit scores for free each month on

Twitter has told multiple news outlets that its systems were not breached. Leaked Source said the passwords appeared to have been grabbed by malware.

How to Keep People Out of Your Stuff

While knowing that your information is out there is an important piece of the personal data security puzzle, keeping your accounts safe is even more crucial.

While there has been much innovation in the world of data security, nothing has proven foolproof yet. Biometric authentication using fingerprint and iris scans is promising, but their adoption is far from universal and not without some spoofing issues.

There are tokens and cards that can complement passwords, but those are fallible for the reason that they can be stolen or lost.

Multi-factor authentication is probably the best way to deal with security issues, but it does not necessarily strike the best workplace balance between security and convenience. The Pixar movie “Monsters vs. Aliens” provides a comical scene that demonstrates why it’s not the most practical approach (the character has to provide a hand, foot, tongue, elbow and butt scan to gain access to the president’s situation room).

Passwords Are Still the Best Option

As things stand now, a password coupled with a second factor of authentication known only to the user — like a visual prompt — is the best personal security solution.

Because we have many accounts and they should all have separate passwords, most consumers have a problem keeping all that information straight. There are apps for that, of course, and if you are OK with cloud-based solutions — bearing in mind that nothing is un-hackable — you might want to check out a service like 1Password, which allows you to store all your passwords, PINs, credit card numbers, and more. PasswordWallet 4 and Dashlane provide similar services. Bear in mind that they are not the only good games in town. So do your research and read reviews. Keep in mind, too, some password managers charge for their services.

The upside to password valets is clear — you only have to remember one password. If that’s of interest, you still need to make sure that password is very strong.

Rules of the Road for Effective Passwords

If you decide not to use a password manager, never store your passwords and user names in a document that resides on your computer. Save them on an encrypted thumb drive. Then you need only remember two things: Where you keep it and the password (hopefully long and strong) required for access.

The best practices here include a number of things you shouldn’t do:

1. Try to avoid single words, since many password-cracking programs use the dictionary.

2. Avoid letters and numbers that are close to each other on the keyboard.

3. Never use a password based on personal information that could well be available on social media or via a data breach. This would include your birthday or the birthdays of loved ones, children’s names, pet names, your high school or college mascots and the like.

4. Never use a password on a retail site that you use anywhere else. If that site gets hacked and the same login information is on a bank account, you’re toast.

And a few things you should do:

5. Create an easier password for sites that don’t have a great deal of your personal information, like news sites, video streaming services and the like.

6. Consider using a password generator. (Bear in mind this generally requires using a password management system, bought or homemade.)

7. Create long and strong passwords containing a phrase at their core. One thing that a brute force attack cannot do is guess the first line of a poem you wrote in fourth grade, especially if you have a simple math problem embedded in the middle of a word of two.

Most of us have day jobs. Identity thieves and scammers view grabbing our information and exploiting it for their gain as their day job. Always assume there is a never-ending riot overflowing with looters happening just outside your cyber house. That’s why you must be thoughtful, inventive and vigilant when creating passwords, for they are the locks to all your virtual doors and windows — even when you are home.

More on Identity Theft:

Image: PeopleImages

The post 7 Steps to Safer Passwords for All Your Online Accounts appeared first on

The LinkedIn Password Breach Is Way Bigger Than We Thought: Here’s What You Need to Do


Quick, what was your LinkedIn password in 2012? OK, now think of every password you use for every service, and make sure that LinkedIn password isn’t reused anywhere.

If ever you needed a reminder not to reuse passwords, here it is. We knew that LinkedIn got hacked in 2012, but at the time we thought only 6.5 million passwords were stolen. Now, we’ve learned the real figure was more like 100 million-plus. That means your old LinkedIn password — and any derivations of it — should not be used anywhere else. You already knew that, but now you really know.

A security researcher found an ad yesterday posted by a hacker offering a list of 167 million LinkedIn passwords for sale for about $2,300. LinkedIn confirmed to Ars Technica on Wednesday that it knows an “additional set of data has just been released.” It’s working to invalidate any passwords on the list that might still be in use. Because of duplicates, etc., the real number is probably far less than 167 million, but it’s certainly much larger than 6.5 million.

Of course, LinkedIn can’t help with other services where you might re-use its password. And you probably forgot it anyway. (Sadly, computers never forget these things.) Even if you only signed up for LinkedIn once, back in 2012, and never used it again, the password you set at the time is now poisoned.

There is no need to panic. No doubt, whoever had this list had wrung all the value out before offering it for sale – probably many times over. If it were really a gold mine, it likely wouldn’t be for sale at $2,300. Most of the user/password combinations in there have no doubt already been tried at other websites.

Still, your job today is to think about all the critical sites you use — places where you keep and spend money (banks, Amazon) — and make sure those passwords are clever and fresh. Then let your mind wander to places where hackers might make bank by scrolling through your digital life: Hacking into your email account, for example, or even your Facebook account. Using your email, they could reset passwords at your bank. Using Facebook, they could trick friends into sending money — or just embarrass you.

Doing that kind of security inventory is a good exercise at any time. But today presents a great reminder.

“There needs to be a sense of heightened security every day when it comes to cyberattacks and thinking passwords could be stolen,” said John Peterson, Vice President of Enterprise Products at cybersecurity company Comodo. “Consumers, small businesses and large enterprises all need to understand that criminals have established, working organizations with paid hackers, spammers and phishing experts who think of ways to steal and leverage passwords, bank records, Social Security numbers, company trade secrets and data, and credit card and financial data every minute of every day.”

[Editor’s Note: Remember, if you has reason to believe you’ve been a victim of fraud, it’s crucial to check your credit. Specifically, you should keep an eye out for sudden drops in your credit score, mysterious accounts opened in your name and unknown addresses. You check your credit by pulling your reports for free each year at and viewing your scores, updated monthly, for free on]

More on Identity Theft:


The post The LinkedIn Password Breach Is Way Bigger Than We Thought: Here’s What You Need to Do appeared first on