Smart SpendingSmart Spending

Avoid password-checking sites

Hackers obtained a Twitter password for The Associated Press and sent out a false report about a White House attack. They'll wreak havoc with your passwords, too -- if you let them.

By Mitch Lipka Apr 24, 2013 6:02PM
Image: Man with laptop © Comstock Images/JupiterimagesIs your Twitter password, or any other password for that matter, secure enough? It's a question that comes up whenever there's a highly publicized hack.

On Tuesday, when The Associated Press had its Twitter account hacked and the hacker used the platform to falsely report explosions at the White House (leading to a brief, sharp drop in the stock market), it was made plain again that even normally guarded professionals could be fooled into giving up information they shouldn't. In this case, a phishing attack apparently yielded the password to the hacker.

It appears that the attack came through an innocent-looking email about a story that staffers were asked to have a look at.

You could find yourself in a similar situation. Perhaps you receive an email that appears to be from Twitter or Facebook suggesting you should make sure your password meets certain security standards. Or you might see a post on a social networking site that appears to be from a friend suggesting you check your password.

But clicking on a link from an unknown source -- even if it seems as though it's from a friend or colleague -- is an invitation to disaster. You could end up downloading malware or a virus or, as happens in phishing attacks, get duped into providing information that could lead to identity theft or fraud.

The Web security firm Sophos highlighted a fake version of a Twitter password check site to draw attention to how easy it is to get fooled. Sophos recommends avoiding such sites unless you're a sophisticated enough Web user to be able to sort out the real ones (there are real ones) from the fakes.

One quick check you can do is to make sure you're on the domain you think you are. In other words, if you land on you're not on Twitter, but if it's, you are.

Or, if you do want to see how secure your passwords are, a legitimate password-checking site can be found here.

Given that most people still use simplistic passwords and use them across multiple sites -- as has been shown in a variety of data breaches and surveys -- there's a lot at stake when you  give yours away. Imagine losing control of not only your social networks, but also access to your email, online banking and other personal and financial information.

Even if you catch the breach quickly, it will still be a colossal pain to get everything back to normal.

Here are some tips from Microsoft about password security to consider when creating -- or changing -- a password:
  • Make your password at least eight characters long
  • Mix up the characters with capitals, lower case, numbers, symbols and punctuation marks
  • Change your passwords regularly
  • Use different passwords on different sites

You can find more information about phishing scams and how to avoid them on the Federal Trade Commission's OnGuardOnline website.


More from MSN Money:



Copyright © 2014 Microsoft. All rights reserved.

Fundamental company data and historical chart data provided by Morningstar Inc. Real-time index quotes and delayed quotes supplied by Morningstar Inc. Quotes delayed by up to 15 minutes, except where indicated otherwise. Fund summary, fund performance and dividend data provided by Morningstar Inc. Analyst recommendations provided by Zacks Investment Research. StockScouter data provided by Verus Analytics. IPO data provided by Hoover's Inc. Index membership data provided by Morningstar Inc.


Smart Spending brings you the best money-saving tips from MSN Money and the rest of the Web. Join the conversation on Facebook and follow us on Twitter.