Hotmail users aren’t the only ones who’ve been hit by a phishing scheme over the past week. Google told BBC News on Tuesday that Gmail users have also been affected by the hackers who posted passwords online.

The problem is far more widespread than was disclosed on Monday, possibly affecting Yahoo and AOL e-mail accounts as well, according to BBC News.

Google described the issue as an “industrywide phishing scheme.” BBC News said it has seen two lists posted online with “more than 30,000 names and passwords” from Gmail, Yahoo, AOL, Microsoft’s Windows Live Hotmail, and other service providers.

The representative said that Google immediately “forced passwords resets on the affected accounts.”

In an e-mail to CNET, a Google representative said that the company had to reset the passwords on fewer than 500 Gmail accounts so far. However, that figure could change.

Despite Google’s and Microsoft’s awareness of the problem, it doesn’t seem that users are out of the woods just yet. Google’s representative told CNET that it will continue to force password resets on any newly affected user accounts.

Like Microsoft, Google was quick to point out to the BBC that the phishing scheme was a “scam to get users to give away their personal information to hackers” and not an internal security issue. It didn’t say how users fell victim to the scheme. (Source-cnet.com)

With all these phishing attacks hitting the major players in the world of email, Google is offering their own suggestions on what users can do to improve their passwords.

Creating a new password is often one of the first recommendations you hear when trouble occurs. Even a great password can’t keep you from being scammed, but setting one that’s memorable for you and that’s hard for others to guess is a smart security practice since weak passwords can be easily guessed. Below are a few common problems we’ve seen in the past and suggestions for making your passwords stronger.

Problem 1: Re-using passwords across websites
With a constantly growing list of services that require a password (email, online banking, social networking, and shopping websites — just to name a few), it’s no wonder that many people simply use the same password across a variety of accounts. This is risky: if someone figures out your password for one service, that person could potentially gain access to your private email, address information, and even your money.

Solution 1: Use unique passwords
It’s a good idea to use unique passwords for your accounts, expecially important accounts like email and online banking. When you create a password for a site, you might think of a phrase you associate with the site and use an abbreviation or variation of that phrase as your password — just don’t use the actual words of the site. If it’s a long phrase, you can take the first letter of each word. To make this word or phrase more secure, try making some letters uppercase, and swap out some letters with numbers or symbols. As an example, the phrase for your banking website could be “How much money do I have?” and the password could be “#m$d1H4ve?” (Note: since we’re using them here, please don’t adopt any of the example passwords in this post for yourself.)

Problem 2: Using common passwords or words found in the dictionary
Common passwords include simple words or phrases like “password” or “letmein,” keyboard patterns such as “qwerty” or “qazwsx,” or sequential patterns such as “abcd1234.” Using a simple password or any word you can find in the dictionary makes it easier for a would-be hijacker to gain access to your personal information.

Solution 2: Use a password with a mix of letters, numbers, and symbols
There are only 26^8 possible permutations for an 8-character password that uses just lowercase letters, while there are 94^8 possible permutations for an 8-character password that uses a combination of mixed-case letters, numbers, and symbols. That’s over 6 quadrillion more possible variations for a mixed password, which makes it that much harder for anyone to guess or crack.

Problem 3: Using passwords based on personal data
We all share information about ourselves with our friends and coworkers. The names of your spouse, children, or pets aren’t usually all that secret, so it doesn’t make sense to use them as your passwords. You should also stay away from birth dates, phone numbers, or addresses.

Solution 3: Create a password that’s hard for others to guess
Choose a combination of letters, numbers, or symbols to create a unique password that’s unrelated to your personal information. Or, select a random word or phrase, and insert letters and numbers into the beginning, middle, and end to make it extra difficult to guess (such as “sPo0kyh@ll0w3En”).

Problem 4: Writing down your password and storing it in an unsecured place
Some of us have enough online accounts that we may need to write our passwords down somewhere, at least until we’ve learned them well.

Solution 4: Keep your password reminders in a secret place that isn’t easily visible
Don’t leave notes with your passwords to various sites on your computer or desk. People who walk by can easily steal this information and use it to compromise your account. Also, if you decide to save your passwords in a file on your computer, create a unique name for the file so people don’t know what’s inside. Avoid naming the file “my passwords” or something else obvious.

Problem 5: Recalling your password
When choosing smart passwords like these, it can often be more difficult to remember your password when you try to sign in to a site you haven’t visited in a while. To get around this problem, many websites will offer you the option to either send a password-reset link to your email address or answer a security question.

Solution 5: Make sure your password recovery options are up-to-date and secure
You should always make sure you have an up-to-date email address on file for each account you have, so that if you need to send a password reset email it goes to the right place.

Many websites will ask you to choose a question to verify your identity if you ever forget your password. If you’re able to create your own question, try to come up with a question that has an answer only you would know. The answer shouldn’t be something that someone can guess by scanning information you’ve posted online in social networking profiles, blogs, and other places.

If you’re asked to choose a question from a list of options, such as the city where you were born, you should be aware that these questions are likely to be less secure. Try to find a way to make your answer unique — you can do this by using some of the tips above, or by creating a convention where you always add a symbol after the 2nd character in the answer (e.g. in@dianapolis) — so that even if someone guesses the answer, they won’t know how to enter it properly. (Source-The Official Gmail Blog)

Related articles by Zemanta

• eMail Accounts Compromised in Massive Attack (pindebit.blogspot.com)
• Guess what: Code sharing sites being used to share emails and passwords ALL year round (thenextweb.com)
• Hacked email accounts affect thousands (thestar.com)
• 20,000+ Gmail, Yahoo, AOL Accounts Compromised [ALERT] (mashable.com)
• Password Scam Widens To Google And Yahoo (news.sky.com)
• Are those Hotmail users really victims? (timesonline.typepad.com)
• Latest tally: 30,000+ hacked e-mail accounts (seattlepi.com)
• Most Common Hotmail Password Revealed! (wired.com)

Microsoft today confirmed that thousands of Windows Live Hotmail account usernames and passwords had leaked to the Internet, but said the credentials were “likely” stolen in a phishing attack.The company denied that its Web-based e-mail service had been hacked and the account log-in information stolen because of some lapse on its part.

Earlier today, Neowin.net reported that more than 10,000 accounts had been compromised and speculated that Hotmail had either suffered a breach or an aggressive phishing campaign had collected the usernames and passwords by duping people into divulging the information.

Microsoft did acknowledge that Hotmail accounts had been compromised. “Over the weekend Microsoft learned that several thousand Windows Live Hotmail customers’ credentials were exposed on a third-party site due to a likely phishing scheme,” the same spokeswoman added.

Both Microsoft and Jevans recommended that all Hotmail users change their passwords, just in case. “Change it, ASAP,” urged Jevans. (Source-ComputerWorld)

If you’d rather be safe than sorry, take 2 minutes and change your Hotmail password right now.

Related articles by Zemanta

• The “Hotmail” Evolution (techpluto.com)
• WARNING: New Twitter worm rofl this you on here phishing attack (ceoworld.biz)
• WARNING: Twitter Worm Spreading via Direct Messages (mashable.com)
• Twitter Spam: Phishing Scam Steals Twitter Passwords (huffingtonpost.com)

When it comes to creating and using passwords, just about every security expert will tell you that strong, complex passwords are the safest.

A strong password is a password that meets the following guidelines:

• Be seven or fourteen characters long, due to the way in which encryption works. For obvious reasons, fourteen characters are preferable.
• Contain both uppercase and lowercase letters.
• Contain numbers.
• Contain symbols, such as ` ! ” ? $ ? % ^ & * ( ) _ – + = { [ } ] : ; @ ‘ ~ # | \ < , > . ? /
• Contain a symbol in the second, third, fourth, fifth or sixth position (due to the way in which encryption works).
• Not resemble any of your previous passwords.
• Not be your name, your friend’s or family member’s name, or your login.
• Not be a dictionary word or common name.(Source-StrongPasswordGenerator)

You can download applications or access online password generators that will help you compose a strong password. But what if you aren’t using your own computer, are alternating between Windows, Linux and Mac or can’t easily remember a password like “u65;+8)7VL83w)“? The site linked to above suggests the following mnemonic to help remember that password: “usher 6 5 ; + 8 ) 7 VIRGIN LAPTOP 8 3 weather )”. Sure, that looks like an easy thing to remember.

What I’d like to suggest is developing a fairly strong but easy to remember core password which gets customized for each site you need it for, making it unique and far stronger than the core password.

For this method you can use a core password that doesn’t meet the above criteria. As an example, I’m going to use a core password that consists of my age, initials and my birthdate. (Note, all of this information is easily obtainable and thus is not good for a password in itself. This is not a password I use anywhere.)

I want my core password to be 55JEC02031954. I can easily remember that. Since I still can’t believe I’m 55, I’m going to insert an exclamation point after my age, and a pointer to my birthdate. Now I have 55!JEC>02031954.

Now let’s say I want to register for http://jebersblog.com using my core password. Let’s add the custom characters that will be unique to this site. Using the initials suggested by the site name I come up with jb55!JEC>02031954. On the Lockergnome forum I would use lg55!JEC>02031954. For Friendfeed, ff55!JEC>02031954, and so on.

I only recommend using a strong but still breakable password like this for sites where you have no financial or personal information that someone else could profit from accessing. It should be sufficient for your WordPress blog, forum membership or sites like the Cutest Dog Competition, where you can register to vote for my beloved Cleo.

However, for sites like eBay, PayPal, your bank or any other site which requires much stronger protection of your information, I would suggest you bookmark Steve Gibson’s Ultra High Security Password Generator page.You’re going to get a password no one could possibly remember (for example: “>cr+q-kcKF9bBysCLbHdpVt(6\|r3fMV^~8%R.9^u<Mr(VPPH{1z;a4BhM`7@b[9) so you're going to have to record it somewhere. This is the weakest point of security when it comes to passwords. If you do have to write it down, keep it with you (not written on a Post-It note stuck to your monitor) and don't label it ("My bank password:...").

For even more security, do not let your laptop, or any mobile device, save your password for these sites, and change your password on secure sites frequently.

Related articles by Zemanta

• Two-factor authentication now available for Amazon Web Services (crunchgear.com)
• Three steps to help secure your site (owencutajar.com)
• Strong Passwords Not as Good as You Think (it.slashdot.org)
• The art of creating strong passwords (macworld.com)
• Got Problems With Wordpress Admin Password Reset? (mwd.com)
• The achilles heel of the Internet (blogs.securiteam.com)
• Keep a list of your important numbers with Password Keeper (bbgeeks.com)
• Do we really need passwords and PIN codes any more? (allaboutsymbian.com)