PopSyndicate.com

My password is very simple.  So simple that nobody will guess it: password.  Get it?  But don’t tell anyone.  I don’t want people posting spam on the MySpace bulletin board.

Recently, the spam-haven website more commonly known as myspace.com suffered a hack that tricked users into giving up their passwords.  The result: even more spam!  Users logged into what they thought was the login page after receiving an email notification for a new message or friend request.  It turns out that someone was clever enough to muck with the code on their profile page and made it look exactly like the myspace login page.  Users who fell for the hack discovered they spam was being posted in their name.

Tom, who is not my friend, posted this statement back in October and reiterated it earlier this week when the trend cropped up again.

“you can stop this by changing your password! a spammer has access to your account. they’re using it to market their junk to your friends via YOUR bulletins and YOUR comments. fight back by changing your password!!”

In other words, the burden of fighting against myspace exploits is on you.  The only way to be sure that a login page is real is if the url of that page starts with login.myspace.com.

This isn’t the first time MySpace has suffered from an attack like this.  Last year, another user snuck in a virus that automatically friended “Samy” into users’ profiles and made history as one of the fastest spreading viruses of all time.

Hey, Tom, you seem like a nice guy, and you sounded very upset by this hack.  Might I suggesting five ways you can help us help you:

5. Limit profile modification. Users should be able to change fonts and colors and little things like that, but anything involving tables or forms must be prohibited.  MySpace profiles are notoriously ugly.  Free web layouts clutter almost every profile.  The room given to change HTML on a profile makes it very easy to make it look like a login page.

4.  Sign In securely. Give your users a secure connection to sign in.  I’m really surprised this isn’t offered anywhere on MySpace.  It doesn’t cost much.  You can buy a license for just the year if you like, but even the most basic encryption greatly reduces risk of information loss.  Think of it as a friendly way of telling your users, “Trust me.”

3.  Expire passwords. Not the most popular option, but an effective one.  Telling everyone to change their password if they think they were affected by this latest hack is passing the responsibility from you to us, but it is a valid point.  Regularly changing your password is an effective step in keeping data secure, even in unsecured environments.

2.  Site Pass. Having a site pass is like giving your kids a secret code in case they run into strangers.  Yahoo! and Bank of America are using this technique by showing a personalized photo or message to the user as a visual means to identify themselves.  If a user accidentally visits a phishing site and doesn’t see that cute kitty photo, they know it’s not a site for them.

1. Lend a hand. Do more than just put a 6 character minimum on creating passwords.  Score the password on its security strength.  The longer, more complicated and uncommon a password, the stronger it will be.  Suggest passwords through an automatic key generator.  Or just assign a strong password on the user rather than letting them use ‘halokitty’ for the umpteenth time.

This latest round of site phishing is cause for alarm.  MySpace has 43 million active users (100 million if you count inactive accounts) with simple passwords and seemingly simple ways of retrieving them.  Child safety concerns alone should be reason enough for MySpace to take stronger steps in site security.  Tom is right about one thing, until better security measures put in place, change your password.

Chris Williams writes a weekly column about nerdy and geeky things.

0