Phisher Says He Makes a Fortune Using Re-used Passwords

I came across a posted interview with an active phisher by way of Alex Eckelberry's SunbeltBLOG. It's an interesting read for a glimpse into the dark side, though it doesn't break any news about the phishing world.

What caught me was the phisher's acknowledgment that he uses passwords stolen from social networking sites to break into e-mail accounts, where he then searches for financial account details. He says he can make $3-$4,000 a day selling this information.

The dollar amount may be an exaggeration, but I frequently hear that crooks try to re-use passwords this way. So I thought it would be a great opportunity to once again push one of my favorite free security tools, Password Hash, that can protect you against this password risk even as it allows you to keep re-using the same password at every site.

Since I have mentioned it before, I'm going to take a shortcut and re-post the information I first wrote about Password Hash in a Download This column. The only difference from what I wrote previously is that the Stanford folks behind this great tool now have a version available for IE 7 (available from their download page).

This browser add-on for Firefox 1.5 and 2.0 and for Internet Explorer 6 lets you keep use the same password at your end for every site, but converts it into a strong and unique password on-the-fly before sending it to the target site. Though I ran across it in a book for IT professionals (Network Security Hacks from O'Reilly), it's extremely easy to use. The Stanford University folks who created it understand that most people won't use complicated security software.

Password Hash works its magic when you hit F2 or type @@ in a password field on a site. You then type your standard password, and when you hit Enter, the add-on combines the password with the domain name (such as google.com or pcworld.com) of the site you're logging in to, and runs them through a calculation (called a hash) to create a unique, strong password. Using the domain name provides a measure of protection against phishing sites, because Password Hash will generate a different password for a spoof site - say, bankofamerican.com - than the one it generates for the real site, bankofamerica.com.

What's more, you don't have to save the password anywhere: If you add Password Hash to a different browser on a different computer, it will still generate the same password at any given site. If you can't install the add-on but need to use a different browser somewhere, you can type your usual password and URL into the Password Hash Web site and get the Password Hash password--via an encrypted connection, of course.

It's not a perfect security scheme--nothing is--but it's far, far better than sticking with the "Batman25"-type password that many people use everywhere now. I'd suggest using it, at a minimum, for your sensitive financial accounts. (I'm using it now and gradually switching my passwords over.)

Comments

Post a comment Post a comment

0 / 1000 max characters