Article of Interest

My PayPal Account’s Been Hacked!

The e-mail from PayPal said I’d sent $400 to a gaming firm in Germany. It’s a dopey phishing expedition, I thought, and authentic-looking, for sure, but nothing to worry about.

The trouble was that when I logged on to PayPal, I really did have a $400 withdrawal. It was clear that someone had my password.

Quick Password Tips

Here are the three essential things you need to know about password security:

• Use a password generator, a program that will create a long, complicated password.
• Don’t ever use dictionary words, even if you stick in symbols, like bill$gate$. They’re very easy to break using simple hacker programs. (LOL -- Thanks, Rod.)
• Use a different password for every important site. Using the same password on every site, especially critical ones, such as banking, is risky. Imagine using your one password on an unsavory, and possibly unscrupulous site. With that golden password, and a few guesses on your login name—stevebass, steve_bass, sbass—and they’re in like Flynn.

Who’s Got My Password?

I contacted PayPal (888/221-1161), supplied the details, and they opened up a case. My account is frozen and I don’t doubt PayPal will credit me for the loss. (As I started editing this newsletter, PayPay reversed the charges.) PayPal is investigating, but I don’t think they’ll ever find out how someone got into my account, though it was clear the person had my password. The rep said I probably fell for a well-crafted e-mail spoof.

That’s a blow to my ego. I see myself as suspicious—verging on paranoid—when it comes to phishing e-mails. What better prize than bragging rights to hacking a PC World guy, right? So I’m as vigilant as my dog is when I try to get her to take a pill wrapped in peanut butter. (Hey, you can’t fool me, pal, she probably thinks...)

If an e-mail—suspicious or not—refers to any of my important accounts and provides a link to click, I ignore the offer. It’s safer to manually type the URL into my browser’s address field. And yes, I’ll cover phishing hassles—and ways to guard against it—in a future newsletter.

Password: z24x680uBS4!44

I’m also careful with my passwords and, at least until now, thought they were super stealthy. For example, on PayPal I used four numbers, a symbol, and three letters. According to Microsoft’s Password Checker, my standard password pattern—1600%wtf—is strong. But it could be better.

Microsoft says that the most effective passwords are 14 characters and have a combination of upper and lower case letters, numbers, and a symbol or two. For example, z24x680uBS4!44 is strong enough for them to call it "best." Test your passwords on Microsoft’s site and see how well they stand up. Then browse Microsoft’s excellent Strong passwords: How to create and use them. I promise you’ll learn something.

Use Microsoft’s Password Checker to test your password’s strength. You might be surprised.

However, ever since the PayPal fiasco, I’ve changed every significant password on my system to a 14-digit gorilla.

Generating Strong Passwords

Creating a strong password is easy, provided you don't try to think one up on your own. There are dozens of Web sites that'll create passwords, but I don't use any of them. The last thing I'll do is trust someone online watching me create new passwords. Instead, download Password Generator, a freebie, and crank out all sorts of 14-character passwords.

Keeping Track of Your Passwords

Remembering all those passwords is a PITA , so you ought to consider using a password management tool. There are lots available. Many people like KeePass, a freebie; others swear by LargeSoft’s $30 Password Manager . I anticipate easily 100 e-mails—no make that 200—kvetching that I haven’t mentioned your favorite. But as far as I’m concerned, RoboForm is the best one around, and I’ve used it since it was first introduced.

Written by Steve Bass, a former Contributing Editor with PC World, a 23 year veteran of PIBMUG, and a founding member of APCUG. He’s also the author of PC Annoyances: How to Fix the Most Annoying Things about Your Personal Computer, O’Reilly Press. It’s available on Amazon at dirt cheap prices. http://snipurl.com/annoy2

This column originally appeared in Bass’s TechBite newsletter. Subscribe to Bass’s free weekly newsletter and read Bass’s blog at www.snurl.com/techbiteblog. Contents copyright 2009, TechBite, LLC.

This article has been obtained from APCUG with the author’s permission for publication by APCUG member groups; all other uses require the permission of the author (see e-mail address above).