Billion Web Passwords Stolen by Russian Gang - Safety of Online Banking?

For those who have been worried about the safety of online banking, today’s news will only reinforce those worries. Yet another new massive data breach has been uncovered. According to this New York Times article:

A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.

Another New York Times article provides steps for people to take to stay safe. There’s currently no information on which websites have been affected. Thus, the article recommends that people change their passwords on all websites that contain your financial or other sensitive information. The new passwords should be strong passwords that are unique to each website.

The article recommends the use of a password manager program which generates a unique password for each of your websites and stores them in a database protected by a master password that you create. Of course the danger of this is if that master password is compromised, all of your passwords will become compromised. The risk of your master password being compromised may be higher than you think. Just recently, the password management company LastPass had a potential security breach which may have affected many of its users.

So if we can’t trust software tools to simplify password management, how can we maintain strong and unique passwords for all of our bank accounts? One method of creating a strong password that continues to be recommended is described by the security expert Bruce Schneier at his website:

Combine a personally memorable sentence with some personally memorable tricks to modify that sentence into a password to create a lengthy password.

This is one example he provides (Note, never use public examples for your passwords).

WIw7,mstmsritt = When I was seven, my sister threw my stuffed rabbit in the toilet.

The problem I have is when websites force us to change passwords after a certain period of time. Some banks force changes every 90 days or less. It’s not easy to think of new memorable sentences. It’s interesting to note that Schneier disagrees with the usefulness of regularly changing passwords:

Don't bother updating your password regularly. Sites that require 90-day—or whatever—password upgrades do more harm than good. Unless you think your password might be compromised, don't change it.

Unfortunately, we don’t have a choice in this matter for several banks. They require you to change your password after a certain period of time in order to get access to your account. Many also require that the new password be substantially different than the last few passwords.

Finally, Schneier recommends using any two-factor authentication that your websites offer. Most banks now offer this. An example is a login process that requires that you receive a text or email with a code. That code must then be entered during login in addition to your user name and password. You can typically configure this type of two-factor authentication to only request the additional code when you’re logging in from a different computer.

If you are one of those who still worry about online banking, you should not let today’s news scare you. Online banking has many benefits for consumers. By taking some reasonable precautions, you can keep banking online with very little risk of losing any of your money due to fraud.

Thanks to DA member Pearlbrown for first reporting on this news and NYT articles in the forum.