These days the news is filled with stories about hackers and “hacktivists” breaking into organizations and posting user names and passwords onto their websites. It’s enough to worry even the most careful computer user but what can we do? Well, we can’t just get rid of passwords quite yet (but maybe in the future we can). So we need to manage our password use in a way that minimizes our risk.
The first step in this process is making passwords with a more secure structure. It doesn’t save you from a company that gets breached and didn’t encrypt their password database but it does help stop those that are trying to directly get into your account. When choosing a password remember that they should have 8+ characters and include a mix of upper and lower case letters, numbers and symbols. Having at least 3 of those 4 items will help but having all 4 will really make things harder to guess. Also remember to not use things that can be easily found like your middle name or the name of your kids. So let’s take the word “hacktivist” and turn it into a secure password like this: h4cT!^!sTs. This may look hard to type and remember but all I did was turn all T’s to capital, the A to a 4, the I’s to “!” and inverted the V. This is an extreme example but it shows how one can make a password much harder to guess.
The next step is to not use the same password everywhere. This is an easy trap to fall into and a mistake many, many people make. Let’s look at an example of the risks.
You have a email account with a site and the site gets hacked. The hackers get user names and passwords and post them on their website (or decide to use them themselves). Then they read your emails and see you bank at Bank of America, have a Chase credit card and use Facebook. So, now they know where you go and will likely try the hacked password to access these sites to get more information on you.
Granted, if they got into the email you use for those sites they could use the site’s password recovery for password resets. However, this example could be applied to other places that collect personal information that are not email servers as well. What I usually do is have a password for different threat levels. Basic websites where all I do is chat has one, places that may have account information (online stores) will have a couple I use between all and banks/brokers/credit cards each have their own.
Then there’s the “Oh I didn’t realize I had this many accounts” moment and trying to figure out a way to keep track of all the passwords. Well there are a few ways of doing this which do not include letting your browser remember it. I never let my systems “remember” login information just incase my laptop gets lost/stolen or someone gets on my machine. There are password management programs on the market that can be used but make sure they encrypt your information if you choose this route. I use a simple spreadsheet that is also password protected. I don’t put the actual user names or passwords in them rather I put hints as to what they would be. For example the hint “Black dog” could reference “Led Zeppelin” or “Breeze”, a black dog I was fond of in the past.
Finally be wary of the hacking methods of Phishing and Social Networking (not to be confused with Facebook type of social networking). Phishing is using very official looking emails to try to get personal information out of you by clicking a link to a fake website or opening an attachment that has malware. Social networking uses email phishing as well as phone calls, Facebook and such to learn a little more each time and is found more often used on business targets but can be seen used on individuals. I’ll get a bit more into these threats later as they are full topics themselves.