Time to change your password to something secure and install security software on your computers

This week Hotmail, Yahoo and GMail have admitted losing perhaps 100,000 passwords from email accounts. Microsoft compromises passwords in Hotmail accounts

Yesterday GMail and Yahoo admitted user’s email passwords had been compromised as well. The official story of a massive phishing exploit is being refuted by a security researcher.

ComputerWorld Mary Landesman, a senior security researcher at San Francisco-based ScanSafe, said it’s more likely that the massive lists — which include approximately 30,000 credentials from Hotmail, Gmail, Yahoo Mail and other sources — were harvested by botnets that infected PCs with keylogging or data stealing Trojan horses.

Landesman based her speculation on an accidental find in August of a cache of usernames and passwords, including those from Windows Live ID, the umbrella log-on service that Microsoft offers users to access Hotmail, Messenger and a slew of other online services.

That cache contained about 5,000 Windows Live ID username/password combinations, said Landesman, who found the trove while researching a new piece of malware. “From the organization [of that cache] and what the data looked like in raw form, I think it’s more likely that this latest was the result of keylogging or data theft, not phishing,” Landesman said.

She dismissed the idea that the passwords had been collected in a large-scale, industry-wide phishing attack, as Microsoft and Google both maintained.

“Another indicator is the sheer number of compromised accounts,” Landesman said, referring to the two lists that have gone public. “Phishing is not generally a wildly successful scam, it doesn’t have a big return. People are more savvy about phishing than we give them credit for.”

The passwords discovered contained some of the most obviously wrong passwords like: pass, password, 12345.

Don’t feel bad. In the old days of mainframes and Unix servers the most common master passwords used by the experts were: master, password, supervisor and God.

Now is a good time to change your password on email accounts and any site that contain information like credit cards, date of birth and address. Since you can be impersonated and be a victim of identity theft with only your name, address and birth date we recommend you lie about your age anytime someone asks you to enter it especially on social websites like Facebook.

Bad passwords include your name and birthday or your children’s names. Safe passwords have a meaningless combination of letters, characters and numbers. Example – rox285?n9$a30. Hard to remember? Let IE or Firefox remember it for you the first time you use it on each site.

You should also keep a written copy of passwords away from your computer. Some mornings I get up and have a brain freeze. I just go to my secret password store and get the list. Always have your Windows password written down and filed securely.

Ultra secure sites that have your banking information should have a different password from email and Facebook.

PS – don’t forget to keep your virus and security software up-to-date. For home users, the best software is free and updates itself automatically.

Avast and Avira