Do you know what your online passwords are? If you do, you might need to reconsider how you manage your passwords!
Your username and password are what keeps other people from getting access to your online services. Whether its your email, insurance, newspaper or social media accounts, it is your username and password which tells the website to allow you in but keep all other people out. Passwords, however, are often seen by people as an inconvenience and a hassle. People find it hard to remember them and the majority of people who use the internet have bad habits when it comes to managing their passwords. This is exploited by cybercriminals who use many techniques to try and capture your password, either from you or from the website where it is stored.
When you create an online account, both your username (which is often your email address) and your password are stored in a database. The website should then encode your password, so it is stored as a long series of letters of number, and not the original characters which you entered the website. This protects you, as it means the cybercriminals must then break the encoded data to get your original password. However, there is a strong market for both ‘plaintext’ and encoded password data among cybercriminals and data stolen from one website can be sold many times.
Unfortunately, it is well known that most people will reuse the same password over multiple sites. This means that if password information is stolen from one website, it can be used for many other websites, which is one of the reasons why there is a such a strong trade in password data. Ideally, every password that you use should be unique to that website, so a data breach for one site won’t let cybercriminals access any other of your online accounts. Cybersecurity expert Troy Hunt has a built a free service, where you can check to see if your email or password have been stolen in a data breach and are available to cybercriminals.
So what makes a good password? There are many myths around passwords, with people thinking that the more random they are, the more secure they are, which isn’t always true as when it comes to passwords, size matters. ‘Brute forcing’ a password is when someone systematically tries all possible combinations of letters, numbers and symbols and is a common way to try and break encoded password. An example of a complicated password is Gz@J,F7q but because it is short, it would take only 18 hours to be broken by a ‘moderate’ password guessing rig. A longer password such as dfG*$UA*n&5NfV@4BbNL^ k would take the same rig over a billion, trillion centuries to break by brute force.
Secondly, your password should also be as complex as possible. Complexity refers to the use of upper-case characters, symbols and other special characters. The more complex a password, the less likely it can be broken by using dictionary attacks (where whole words are tried instead of just characters), by exploiting password trends or by substituting in commonly symbols (such as 1 for l and 3 for e). Complex passwords result in randomness (cryptographers refer to this as entropy) in passwords which requires the attacker to fall back on brute-forcing the password which is slow.
Ideally, every password that you use should be long, be unique and be complex, but unless you are gifted with a photographic memory, these will be very impractical to use. Luckily, there are now Password Manager tools available which will create very secure passwords for each of your accounts which you don’t need to remember. There are commercial Password Managers such as 1Password and LastPass as well as free, opensource programs such as Keepass. Many programs also come with extensions for your browser so your passwords will be automatically entered when you visit a site.
Password managers help you to have good, strong passwords for all of your online account, and you only need to remember one password – the one to access your Password Manager.
If you don’t want to go down the route of either paying for a password manager service or using an opensource one, there is a very simple way, which was told to me by a friend in Google, to create strong, unique password for all of your online accounts while still only having to remember one password.
Firstly, create a list of all your online accounts. For each account, create a complex and random password. You can use an online tool or whatever method you prefer, so long as they are random and not related to other. You should be left with a table like this:
Don’t worry if don’t think that you can remember them – you won’t have to. Save the table somewhere safe like Dropbox and print off two copies. Keep one of the copies of the table at home, where it won’t be lost and keep the other copy in your wallet or purse (you may want to laminate it).
Finally, think of a simple phrase to remember which is quite long. An example would be ‘Slate.Ladder,Tesla Plank’. This is the phrase that you have to remember, and if you do write it down, it should never be kept with the table. Your password for each account will be both the secret phrase and the code in the table, so for Facebook your password is ‘Slate.Ladder,Tesla PlankNX!V4FH’.
Using this method, your passwords are now long, complex and unique to each site, and you only need to remember one password.
Finally, for added security, you should enable Two Factor Authentication for all of your online accounts. Two Factor Authentication (2FA) adds an extra step when you try and login to an online service. If you provide the correct username and password, you will also be asked to enter a code. This code is time limited and will either be sent to your device or can be accessed by a 2FA App such as Google Authenticator or Authy.
2FA protects you against people accessing your online accounts even when they have your username and password, as they will now need to get the correct code in order to login successfully. Most online services support 2FA, and many websites will only present a 2FA challenge when you are logging in from a different device than you normally use.