A friend recently asked me about how to choose a password and I just finished 2 books on the topic of internet security and thought I’d share what I’ve learned in a post. Our understanding of a good password comes from website prompts which aren’t all that helpful. There are easier ways to come up with hack-resistant passwords.
You can read the wiki on the topic of password managers. This is basically when you store all your passwords with a company who then through software, tokens, or the cloud accesses all your websites with stored usernames and passwords. The passwords can be stupid long and random and complex because you won’t have to remember them.
KeePass is a popular open source password manager project.
I won’t get into password managers because the idea doesn’t make much sense to me. You still need one master password and there is a database of all your passwords stored somewhere – somewhere safe, I hope?
That said, it’s an option that’s widely advertised on internet security columns. But I have a suspicious feeling that these companies are just great marketers and put out the right information out there. Or Dr. Mo is just one paranoid little shit.
How Hackers Gain Access To Our Accounts
Before discussing how to choose a great password it’s important to first understand how hackers gain access to our accounts. I always thought that they just sit there and guess the password using various softwares… wrong.
Targeting Large Databases of Users
These days, Hackers are organized institutions and rarely a rogue individual as we see in movies. There is a lot of money out there when you can sell password databases on the black market. Individual accounts are of lesser interest – but big databases are worth a lot of money.
Then there is the task of decoding the database and extracting individual accounts and passwords. Often, one password will lead to uncovering other passwords because online users are predictable that way.
Targeting An Individual
When it’s a high-profile person then a group of hackers may target that person’s account and that’s when social engineering is used to obtain the necessary information. If someone wanted access to your bank account then they would only need access to your email. They would reset the password on your bank’s website and choose their own password and they are in.
Choosing A Great Password
There is no universal truth about choosing a great password. But the notion that a totally random string of characters is the best password is actually not accurate. You can piece together several words and letters and characters and you will have a password just as secure.
The key is to make sure that nothing within that password contains anything from your personal history that someone else could guess.
Tell A Story For Each Account
The trick with using words and characters and numbers is to tell a story. A story that you can remember. Sadly, some companies still limit your password to 15-20 characters which isn’t ideal – but, do your best.
The password above could be for my email account. To me, it means that I opened this email account to stay in touch with my childhood friend back when I used to live in Germany. His name was Iggie. I met him in 1988.
Prevent Social Engineering Attacks
Let’s get back to social engineering again. If someone wanted to hack you individually then they would find out as much as possible about you. They could then guess your security questions and input the proper data into a password-guessing software and eventually be able to hack into your account.
For example, in the past my passwords always had a car name, a string of numbers which were associated with something in my history and 2 symbols which were in close approximation on the keyboard.
I even used the same password on every single website.
Later I thought I was clever and added a letter in the middle of the password unique for each website. Well, not that unique because I used a very simple idea.
Good Password Characteristics
- make it as long as possible
- you can substitute a number for a letter in a word
- use foreign language words
- even better: use words nobody else would be familiar with
- make every 2nd or 3rd letter in a word upper case
- test your Frankenstein creation @ Password Meter
First, using a website such as Password Meter it’s of course wise to not put the actual website. It’s not even about the website logging your input which is highly unlikely. But if you look at the web address of that site it’s not https which means there is no secure connection. What you type into that website isn’t being encrypted over the web which means that a “man-in-the-middle” could be listening in.
Second, pay more attention to the “deductions” which is used to explain to you why your password was good or bad. Even if you have a very strong password, it’s still good to see why you had points deducted and correct those.
When You Are Targeted Individually
It’s much less likely that someone will sit there and try to guess your passwords because of how time-consuming and software intensive that is. Instead, they will find out pertinent information about you and use that to get access to one of your accounts.
- Phone numbers
- social security number
Your phone number and email have become far more important data points than your SSN. You wouldn’t believe the amount of information a villain could obtain by having access to those 2 things.
Next, it’s important to protect your personal devices. That includes your home desktop, laptops, and cell phones. Any software or hardware that is attached to these devices can install malware without you having a clue. Your keystrokes can be logged, your behavior can be monitored, and your passwords extracted.
Other Steps Worth Taking
1. Phone # and emails. I would recommend having different phone numbers and emails addresses to give to different major banking sites. The phone numbers can be fake, that’s easy. Don’t use older ones which may be available on your credit report.
Email might be tougher because you might access your email account for information sent there. Thankfully it’s very easy to open multiple email accounts.
2. Security questions. Get creative with answers to security questions. If it asks for your mother’s maiden name then you can enter a funny nickname for her. The computer won’t care what you use. Just be prepared to share this with online tech support if they ask you for it. Or add 2 symbols at the end of the real answer – anything to make it one step harder for a hacker.
3. Clicking on email links. When you are contacted by a website or company about something that requires you to click on a link in the email – don’t. There is no need to. If there is an action you need to take then log onto that particular website and see if the same message is posted in your message folder.
This happened to me a year ago when I got an email from my brokerage account to do something. I went online first and didn’t see the same request in my message folder. I contacted their fraud department and that was that.
The exception is when you have requested a password reset or requested an action from your particular online company and expect a link to be sent.
Minimize Data Intersection
Don’t use your Facebook account or your Google accounts to access other websites. Sure, it’s a very convenient option and it’s available but don’t assume that Google or Facebook are immune to hacking. It takes one angry employee or an orchestrated attack to compromise these websites.
Multiple Credit Cards & Accounts
Don’t have too many credit cards. Don’t create too many online profiles on different websites.
Don’t use the same email and phone number for all of your major banking websites.
As I mentioned, don’t use the same password for the different accounts. Never. Even if you just go in and add a random letter or number into each password, you’ll make it that much harder for your other accounts to be compromised once 1 account is hacked.
Freeze Your Credit Report
I never realized how much companies were accessing my credit reports until I froze them. Applying for jobs and getting access to certain websites was dependent on someone else having access to my credit report.
Because of this I have chosen not to do business with certain companies. I see no reason for me to compromise my personal information in order for a company to do business. There are ways around it and it’s up to the company to figure it out.
Most are familiar with this. When you try to access your account, you are asked for your password and are also sent a text message to your phone.
Or you might be asked to look at a physical RSA token which generates random numbers and input that into the browser or app. There are also authentication apps which can be linked to your account which also generate these random number strings.
Google, for example, allows you to have all the above. You can have a text sent to your phone. You can have a physical token or you can opt for their Authenticator app.
A Final Note
The world isn’t out to get us. It’s important to understand what information is accessible and what isn’t worth accessing. It’s more important to understand how someone who desperately wants your information can get to it.
Thinking that everyone online is out to get you and that everyone is trying to rob you or steal your information is not only silly but it will drain you. You’ll be so caught up trying to protect information that doesn’t need protecting that you’ll have no energy left to secure what you need to secure.
And if I scared the shit out of you, sorry, that wasn’t my intention. I actually think that it’s much harder to hack a person than I initially thought after really delving into this nerdy stuff. You can always hire security experts who can tell you exactly where you are compromised and where you can make improvements.