Passwords – what’s the best way to deal with your ever-growing amount of online accounts?
If you are, like me, always struggling with the question how to keep your online accounts safe – without using the same password on every account, this is a must read.
I admit: I used to have a great password I used all the time. Google (!) realized this and urged me to come up with something more creative. More than twenty of my accounts had the same password. It seemed a daunting task. How to protect all my accounts and still be able to use them? But ever since I started to work for Skopos I found out that creating a solid digital defense is not as hard as it seems. And understanding how hackers work also helps a lot in protecting yourself from being a victim.
How do hackers get into your account?
Hackers get your password via data breaches, where they are presented on a silver platter, complete with your email address or account name. Also, hackers know you are re-using your password on different sites. It’s easy to do the math and connect the password johnsmith@onesite to johnsmith@anothersite. Another way hackers get your password is by phishing – when criminals trick you into supplying your personal information to what you believe is a genuine request from a legitimate site or vendor. You can read more about phishing in this blog. Another high risk is the use of a very common password – hackers just test popular passwords against a lot of user accounts. Chances are big that your account can be cracked in such a spraying hack.
There are many other different ways for hackers to access your password. But the most important question is: how to avoid being hacked? In this article, we will touch upon five best practices to apply to your passwords.
Four best practices for password management
1. Add two factor authentication
Whenever it is available, use two factor authentication. It’s a second way to identity yourself and therefore provides double security. Websites like Amazon, Apple, Dropbox, Facebook, Google and many more all work with 2FA systems. The 2FA system requires two different factors to identify yourself –
– something you know (like your username and password)
– something you have (like a smartphone where you receive an authentication code)
– something you are (your biometric data).
– somewhere you are (your IP address, if it differs from your usual one you might receive a notification)
– something you do (like a gesture or touch or Picture Password on Windows 8)
A combination of these factors makes your protection stronger. Two factor authentication is great, multi-factor authentication even better. According to Microsoft, the 2FA system reduces the chances of a hack by 99%. While there are still ways to hack the 2FA, mainly by social engineering, it significantly reduces the chance of a data breach at no extra cost to you.
If your device allows you, you can add the extra layer of your physical characteristics to identify yourself. This is called ‘biometrics’. Your fingerprint, facial recognition, and retina scans are the most commonly used ways of biometric identification. While your thumb and irises are easy to use, they are not the ultimate solution for a passwordless future – remember that your biometric data has to be stored somewhere and can therefore be hacked. However, since they can not easily hacked by a simple phishing attack, it is perhaps the best authentication method when it is used in co-existence with passwords and biometrics. But there is still a lot of room for improvement in these technologies.
2. The longer, the better
If the account allows you, create a password that is functional and unhackable at the same time. Recent research has shown that it’s the length of a password that makes it strong. A password-sentence with spaces like “what is essential is invisible to the eye” (if the software allows spaces) is actually more difficult to hack than !nv!s!bl3t0thE3y3″, even if the former password is more recognizable to us. For a brute forcing algorithm trying to hack a password, every additional character exponentially increases its difficulty. If possible, use a mix of the following tips to build better passwords:
- mixed letter and numbers (swap an A for an @, a C for <, etc.) and mix uppercase and lowercase letters. For example: Myd0g|$,rAzy@sC@nbE
- Use geometrical patterns on your computer. Use triangles, X’s, diagonals, trapezoids, and remember the password by shape and feel alone.
- Use a formula (birthday+pet’s name+account name) or BASE + PIN combination where you write down the BASE somewhere and remember the PIN For example: 1982FlipFacebook.
- Use a line of a song or a whole sentence you can easily remember (but that other people can not). You can play with this, for example by using acronyms or alternate characters. For example: Allchildren,exceptone,growup or Alhlrnecpoe,rwp
3. Use it only once
Every password becomes weak If it is used across multiple sites. Any reused data is easily obtained via a simple algorithm. Using your password more than once can have consequences you will deeply regret – leading to potential disorder and chaos. Make every password unique. If possible, tie certain mnemonics to the websites you are writing a password for. Maybe Facebook reminds you of your teenage years, and Twitter of some newspaper you used to read. Get creative and have fun – but never reuse a password more than once.
4. Use a password manager
Once you have managed to think of different, unique and long passwords, you still need be practical. Memory is fragile and you can only remember so many passwords. There are only solutions like password managers that let you keep all your user names and passwords in a secure location. With a password manager you only need to remember one password – the master password. The manager then automatically fills the appropriate login information into the website you are visiting.
You might think that this is a function already existing in your browser – Chrome, Firefox, Internet Explorer, and others all have integrated password managers. The advantage of a password manager is that it stores your passwords in an encrypted form, helps you generate secure random passwords and allows you to easily sync your passwords across all the different computers, smartphones, and tablets you use. We recommend using LastPass, a very accessible tool with a lot of features or KeePass, an open source manager for a zero cost second best option.
In sum, with a bit of effort, creativity and some discipline you can still have secure and easy access to all your accounts. If you use two factor authentication whenever that is possible, use long passwords, store your passwords in a password manager and never re-use a password, you are doing a great job. When applying these four best practices for password management, you will be a lot safer from a hacker attack and, when it occurs, should not have to worry about your personal data from other sites being exposed. In the end, a password is something deeply personal. Try to make this into a challenge – why not invent a password that would take years, decades or even longer to hack? At Skopos we make it our mission to give insight into your cyber risks. Do you want to know whether your passwords have been breached? Get in contact with our ethical hackers and we will help you to grow a solid digital defense and protect you against hacker attacks. You can reach us by phone on +44-932201653 or via email@example.com.