How to keep your online accounts secure.
What mistakes do people make with passwords?
- Having passwords that are too short.
- Having passwords that are guessable with no additional information. e.g. password123 or qwerty54321
- Having passwords that are guessable with some basic information about the user. e.g Harry1992 or LondonDave
- Re-using passwords. (Don't use the same password for your email and bank account as you use for the online shop where you bought a toilet brush holder)
- Thinking that you are the first person to notice that some letters look like numbers. Both Password and P455w0rd are awful passwords. Arguably P455w0rd is worse as it might get you past the minimum requirements (as it contains letters and numbers) when you are choosing a password even though it is not at all secure.
- Not enabling two factor authentication (2fa) when available.
What makes a good password?
A good password should be unique and not listed publicly on the internet, so none of the passwords here (publicly on the internet) would make good passwords. However they should be good examples and we will discuss them like they are not listed here.
One option is to have a long string of random characters like .j9}CC+wcRr>;b\G - This is a good option if you are only going to use the password with a password manager however is not so good if you are going to try to memorise it (unless you have an exceptional memory).
Another option which is much more memorable is to use a sequence of words. One technique is to use a series of words separated by a special character with one of the letters (perhaps not the first capitalised). For example I might choose the special character ( and the second letter of each word to be capitalised, add a number on the end and I have:
gOlden(bOokshelf(4832
I only need to remember my system and two words and a number per password and I have a pretty secure password that should meet most password requirements.
Re-using Passwords?
Picture a scenario where an Internet user always uses the same password:
They sign up for online banking and put in their password, it's the same one they use for their email. Later they go onto the website of a clothing retailer where they purchase a pair of socks. To make their purchase they provide their email address and choose a password. They choose the same one they use for their email and bank (it's their favourite password.) Sometime later the retailer which like many websites hasn't been following good security practise themselves (perhaps they used a weak password for their server) lose their entire database to hackers. The database includes our poor internet user's email address and password, the hackers can log in to their email, from there they will be able to find confirmation emails from lots of other places our person has signed up for, they can log in using the same password or now they have control of the email they can do a forgotten password request. The bank hopefully will insist on two factor authentication and prevent a log in (but not all will).
If our user had not re-used their passwords then the worst that might have happened is the hacker could have purchased a few pairs of socks (maybe) and sent our user some spam or scam emails.
The moral of this tale is that you should not re-use passwords. In particular never re-use the passwords for your critical services (usually your main email address and your online banking.)
Password managers
Remembering a different password for every service is a real challenge these days. It might be worth considering a password manager.
What is a password manager?
A password manager is a piece of software or a service that stores passwords for you. There are plenty of free & paid password managers. One popular free and Open Source password manager is KeePass.
Is having a password manager putting all my eggs in one box?
Yes it is a bit like this, however password managers stake their reputation on their security. So it is like having all your eggs in one very secure box. It is certainly preferable to re-using passwords or using weak passwords.
Having a password manager should be used in conjunction with other security measures such as two factor authentication.
If you want to use a password manager but don't fully trust it to store your passwords you could combine the digital store with your brain. E.g. have your passwords consist of:
<long_complex_unique_forgettable_password_stored_in_password_manager>-<shorter_easy_to_remember_password_stored_in_human_brain_only>
In this case in the event that the password manager were to be compromised you would hopefully stay secure with the additional remembered section of each password that was not stored in the password manager.
Two factor authentication (2FA)
Wherever possible you should use Two Factor Authentication.
What is two factor authentication?
Two factor authentication is second means to confirm the person providing the login credentials for something is actually the authorised user and not a hacker or bot that has somehow managed to obtain (or guess) the authorised users credentials.
Usually it will take the form of a short sequence of numbers that are obtained from a two factor authentication application on the users phone or text message sent to the mobile phone number the service being logged into has on file.
So if I have strong, unique passwords and two factor authentication then I am 100% secure?
No system is 100% secure. If you were typing your password and a 2fa code into a compromised computer that had malicious key logging software on it then even all these precautions might not be enough. However this scenario is not so likely. Most common or garden hackers upon finding someone who has strong unique passwords and uses two factor authentication will do the smart thing and move onto the next potential victim and for their sake we hope they are not using the password qw3rty1234 for all their logins.
Spotted a mistake? Have a comment or suggestion? We'd love to hear from you. Please feel free to get in contact.
All information provided by Rootchronicles.com is without warranty. We take no responsibility for any loss, damage or any other misfortune resulting from following or attempting to follow guidance found on this site. If in doubt always seek professional consultation.