Passwords, scams, and you
Reader Deb Ward is the victim of an increasingly common scam. She writes:
I have a MobileMe account that I believe was hacked. First a message was sent to everyone in my .mac email address book that I was in the UK, held up at gun point, stranded, and to please send money. Then, the hacker was able to get into my .mac account and have my emails forwarded to a Yahoo account! How can this happen? How do I protect my email accounts? And how do I protect the rest of the information on my computers?
While this kind of thing isn’t as common as advance fee fraud (typical of the Nigerian royalty wheeze that’s been around for years), it’s a scam that’s become popular in the past few months. It works this way:
The scammers obtain account addresses (not just from the MobileMe service but other providers as well such as Hotmail, Google, and AOL). They then use computer scripts to generate passwords—using words commonly found in the dictionary—and work through these passwords in the hope of finding one that lets them in. When a working password is found, they go about the nefarious business of grabbing your contacts from the host service and sending out the kind of message that your contacts received. Depending on the service, they can also have messages forwarded to a different account.
Your best hope is that those you associate with are smart enough to ignore this obvious bit of phoniness or, at the very least, check with you to be sure that the message is legitimate. On the other hand, those who do pungle up the dough can be counted as extra special (though pretty gullible) friends. Please treat them gently.
As for protection, Protection Tip Number One is to use a password that can’t be easily guessed. If it’s in the dictionary, it’s a bad password. If it’s in the dictionary and you’ve appended a couple of significant numbers after it—your birthday or age—it’s still a bad password. If it’s a pattern of characters on your keyboard—adgjl’, for example, it’s a bad password. If it’s eight characters or less, it’s possibly an okay password, but not a great one.
Protection Tip Number Two is to not use the same password for everything you do. If you unlock your e-mail, Apple ID, Amazon account, Mac administrator’s password, and bank account with that single password, imagine the havoc that results when it’s cracked.
There are a variety of strategies for creating and remembering passwords. People often substitute characters for letters—$ for S, @ for A, and ! for L. Others remove vowels—grtbllsffre1957, for a Jerry Lee Lewis fan, for example. Others still write random strings of nonsense, write down those strings, plunk the passwords into their Mac’s keychain, and lock the written passwords in a safe place should they need them. (These are people who have complete control over their computer—the one in their home, not in the office.)
Because I have a brain like a sieve, I use Agile Web Solutions’ $40 1Password. Not only can it keep track of all the passwords in your life, it can also generate them. Like so:
When you come to a website you need a password for, select the password field, click and hold on the 1Password button that appears in your browser, and choose Strong Password Generator. In the sheet that appears the title of the site should appear along with its location. Use the Length slider to choose a length for your password (the longer the better) and click Fill. 1Password will fill in the password field with the password it just generated. It will later prompt you to save the login information for that site—your username and password. When you next visit, you can ask 1Password to fill in this information for you.
If you lack the inspiration to create a password for some other kind of account—your e-mail account, for example—1Password can help there too. Just launch the program, choose Go -> Generated Passwords, click the Plus (+) button at the bottom of the second column, and use a procedure similar to the one I just described to create a new password. 1Password will remember this one as well.