Bob and I were loading the truck after a few hours of night fishing on Friday when I checked my phone for calls or texts and found one from my friend at College Station: I think someone hijacked your fb or texasgaga account.
I reacted like someone reported a potential burglar at my house except I couldn’t call 911. “Ono, Bob! Somebody hacked my WordPress and Facebook accounts!”
Bob responded with the appropriate alarm, followed up with “What does that mean, Margaret?” Bob’s not particularly computer savvy and didn’t grasp the consequences.
After a moment, I realized I didn’t understand what it meant, either. “I don’t know, Bob. But it’s bad.” Bob asked how my friend knew that someone hacked my accounts; I had another “I don’t know” for him.
I understood how she knew when I saw a new blog published on my WordPress. An untitled post recommending an online pharmacy which specialized in Viagra was my most recent blog. Since my blog posts are automatically published to my Facebook account, my friend saw a red flag and sent me the text.
I changed my passwords on WP, FB, and Hotmail, erased the post, and sent emails to WordPress and Facebook about the hack job. I sent a thank you text to my friend, getting a “I didn’t think you’d be selling Viagra” text in return. Ha. Haha.
I could see how someone could hijack my blog or my email. I’m lazy about passwords. I should know better. I was mad at Hotmail a couple of months ago when I got locked out of my email account and had to change my password. (“How dare they inconvenience me like that?”) I found out hundreds of emails were sent from my email address with a porn site link. Oh. OH!
It wasn’t like I didn’t have a fair warning. I changed passwords then but I fell into the weak password trap using:
- One of my children’s or pet’s names followed by a 0 or 1 because they make you use a number
- 1234 or AAAA or aaaazzzz.
- The word “password”
- Date of birth – mine, either my parents’ or children’s, Bob’s
According to TAMU, about 20% of us use those clever passwords which are notoriously weak. I use the same password for multiple websites which is not recommended. Using the same password for home and office computers isn’t advised, either, which I have done for ease of memory. Although my bank has good encryption, WordPress and Hallmark don’t have such good security. Hackers can find out which sites I frequent by checking the cookies on my computer. All those cookies are simply stored, unencrypted and easy to find, in my browser’s cache. (Key’s under the mat and the dog loves everybody.)
If the obvious password doesn’t yield results, hijackers use password cracking software to get access. There are 308 million possible letter combinations for a six letter password using all upper case or all lower case letters. Password crackers that are readily available on the Internet at no cost can check all of them in about 2 minutes. Programs like AirCrack, John the Ripper, Hydra, Solar Wings, and Brutus are just a few listed at Sectools.org/tag/crackers.
- Using both lower and upper case letters, a six letter password has19 billion combinations
- Using eight letters and upper-lower case letters, there are 53 trillion combos.
- Add a number for one of the letters, there are 218 trillion combinations.
- With eight characters, including one upper case, one lower case, a number and a special character or punctuation, the possibilities jump to 6,095 trillion (from Symantec’s website)
TAMU.edu offers these guidelines for selecting a strong computer password:
- It should have 10 characters
- It should have a mix of upper and lower case letters, numbers, and special characters (such as !@#$%~*). You can’t use a forward or backward slash or a period.
- Don’t use a word from the dictionary, urban or traditional.
- It shouldn’t have any part of your name email address.
- No last 4 digits from your social or your DOB
The TAMU site adds that easy to remember and easy to input passwords are preferable so you don’t have to write them down and so people looking over your shoulder can’t quickly see what you type. Creepy hackers.
There were a few tricks offered for creating a password that is easy to remember and meets the suggestions.
- Replace vowels with numbers or symbols that represent the letter (@ for a or 3 for e)
- Spell a word phonetically (like “foneticlee”)
- Pick a familiar phrase and use the first letter of each word (“I pledge allegiance to the flag of the United States” becomes IpattfotUS).
It’s easier for me to make a joke about my computer invasion than to admit how much it bothered me that I got hacked. Consolation? That I learned changes to take and am passing them along. Would rather be blogging about speckled trout, refinishing furniture, and baby showers which seem unrelated but aren’t. Not really.