Happy New Year! Time to consider changing your passwords

Around the holidays it's customary for tech writers to look at the worst passwords currently in use. Lists usually include password, qwerty, 123456, abc123, 111111, letmein, iloveyou, welcome, etc. Also popular are pet names and common given names like michael or ashley.

Reports predicting the demise of password authentication exaggerate how soon this might occur. Rest assured that passwords will be around for a while, so using them cautiously is still vitally important.

Rules for effective password use are drummed into our heads year after year. Most of the following should sound familiar.

• Passwords should be comprised of eight or more characters.
• Passwords should include letters, punctuation, symbols, and numbers.
• Passwords should be changed often, ideally about every three months.
• Password reuse should be minimized (don't use the same password for all your accounts).

People largely ignore this advice, but you might be surprised to hear that techniques like character substitution (replacing an "l" with a "1" or a "3" for an "E") or appending numbers or punctuation marks to words don't necessarily make passwords stronger. Furthermore, password length isn't everything.

Password uniqueness is what really matters. When attackers steal a password database, the first thing they do is sort the accounts by password. Automated attempts to logon to banks, brokerage houses, etc. using accounts with the same password follow. Since accounts with an unusual password do not lend themselves to this technique, time becomes an ally.

If you are unsure whether a password qualifies as "strong," you can easily test it using a free tool provided by Microsoft. The tool is accompanied by suggestions for creating strong passwords and conducting safer transactions online.

Another problem with online security is the widespread use of security questions. In many cases, poorly-drafted security questions pose a greater threat than weak passwords.

"Security questions" are supposed to identify you in case you forget your password. Many sites today provide a link ("forgot your password?") so you can reset your password without contacting tech support. Here are examples of queries often used to confirm a site visitor's identity:

• Who was your third grade teacher?
• What was your maternal grandmother's maiden name?
• In what city was your first job?
• In what city were you born?
• What was the name of your first pet?

Strangers should not be able to answer any of these questions, but correct answers can often been gleaned from social networks or genealogy sites.

Once an account has been breached, attackers usually update the security questions to prevent the account owner from regaining access. When this occurs, the victim typically has a difficult time convincing the site's operator to grant them access.

One way to improve the effectiveness of security questions is to use fictitious responses, providing you remember them. Pick a city or town other than where you were actually born or raised. Choose an uncommon name for your first pet, and do likewise with your grandmother's maiden name. If the answer to a security question isn't easily-guessed or discoverable online, it will cease to provide a means to hijack your account.

Passwords and security questions are important. As such, let the holidays serve as a reminder to perform an online security health check the way we associate daylight saving time with changing the batteries in our smoke alarms.

Microsoft issues security alert for legacy web browsers

Microsoft has confirmed that versions 6, 7, and 8 of Internet Explorer (IE) contain a "zero-day" vulnerability that is currently being used to hijack Windows computers. See Microsoft Security Advisory 2794220.

Newer versions of Windows can use IE9 (Windows Vista and Windows 7) and IE10 (Windows 8), which are not affected. Windows XP users, however, can only upgrade to IE8, and since it's no secret that a lot of people are still using Windows XP, the problem affects a large customer base. 

If you are using IE6, IE7, or IE8, Microsoft has issued  a temporary workaround (called a Fix it) that you can install simply by clicking an icon embedded in the advisory page.

Applying MS 50971 will not interfere with the installation of the final security update that will address this issue. However, applying the workaround will have a small effect on the startup time of Internet Explorer. Therefore, as you are applying the final security update, you should uninstall the workaround by applying MS 50972. Click here for more information.

The IE vulnerability does not affect Google Chrome, Mozilla Firefox, Apple Safari, or other third-party web browsers for Windows.