Passwords: Your First Line of Defense in Internet Safety
02/05/2014 2 Comments
by: Doug Zbikowski
It’s amazing how many Internet services an average person uses. For example I’ll pick on my parents as they’re the least tech-savvy people I can think of at the moment: they fall in the “light user” category, yet in an average week they may log into :
- a couple of banks
- investment accounts
- health insurance website
- several retail store accounts
- credit card services
- utility services
…and probably more. That’s 10+ services for a novice user on a weekly basis. Each one of these services requires a way to identify yourself, and that’s usually in the form of a username and password.
Passwords are a weak link in any security system. Forming a password means you have to remember it, and when you’re using several services it gets difficult to keeps things straight. You may get past this by habitually using the same password for everything. To make things even easier, you may be using a simple word or name for your password. On top of these, many services require you to use your email address as your username, and you may be using your email password to log into other services as well.
We all do this- heck, I’ve done it. The major flaw with this practice is you end up with the key to your email messages being stored by several 3rd parties on the Internet. If even one of those services gets compromised by a hacker, they’ll also have full access to your email. From there they can see what services are sending you promotional messages, statements, and bills, use your email account to reset passwords, and gain access to any number of your accounts. Savvy hackers even use social engineering to get information out of friends or family: they may send a message to a coworker or a family member asking for their password information, links to viruses, or even requests to send money to their bank accounts – since the message looks like it came from you they may very well comply with the requests.
Passwords Are Serious Business
According to our security partner GFI, the most common passwords are:
If your password is on this list (or anything similar) and your account gets attacked, your information can be accessed within seconds. Numbers especially are terrible passwords as computers can generate huge lists of numbers instantly, meaning a numbered password is essentially one step above having no password. Keyboard patterns (qwerty”, “zxcvbnm”, “poiuytrewq”) and words found in the dictionary are in this same group. Hackers don’t just sit there and try to type in different passwords. They often employ specialized hardware and software to generate password possibilities. One report I recently read from Security Ledger demonstrated how off the shelf graphics cards used for PC gaming can be used to try billions of passwords at once.
The next most popular set of passwords involves the name of a family member followed by a number. Out of 10 people reading this, I’ll bet one of you is using something on this list:
This is a recent list of the most popular names for boys and girls followed by a “1”. Using any names associated with you makes it easy to figure out your password. Shy away from using proper spellings of children, pets, or possessions. Adding numbers to the end doesn’t help much, so it’s best to avoid the practice. Other personal information to avoid are proper spellings of birth dates, maiden names, or anything else that can easily be tied to you through a bit of research.
The best tip, and I can’t stress this enough, is to stop grouping your email address and email password together when signing in to services. If an account requires you to log in with your email address, that’s completely fine. However, you do NOT need to use your email password to log in. Using a different password will prevent any security breaches on that service from giving access to your email account.
Complexity Can Be Easy
You need to start using complex passwords. It’s actually easy to create a “hack-proof” password using a few simple tricks:
- Use a minimum of 8 characters in any password. Each character you add after that exponentially decreases the likelihood of it being guessed.
- Mix capital and lower case letters, numbers, and characters together. Feel free to use characters in the place of letters: “eric1234” is a terrible password, but Er!cOne23Four is an excellent password. It’s the same thing, just typed a different way.
- Change up a variation of the same theme. Instead of names, maybe make the password relevant to the service you’re logging into. For instance, if you’re logging into your bank, maybe using something like “Ihave3.9%F1nanc1ing”
- Another method is to make a “base” password, and then change the beginning and ending for different services. If you make a base password of “baseball”, maybe use an attribute of the service you’re using before and after the word. Example: if you’re logging into First National Bank, you could use $avingsBaseball@ccount.
The trick is to come up with a pattern that you can remember, but looks complex to everyone else. DO NOT write down passwords anywhere. Most services offer “reminder tools” to nudge you in the right direction if you find yourself with a temporary case of password amnesia. Use these tools rather than relying on a piece of scrap paper that anyone can get a hold of.
Once you come up with your password, you can check its “strength” with Microsoft’s Password Checker Tool: https://www.microsoft.com/security/pc-security/password-checker.aspx. If your password comes up as medium strength or less, revise it until it gets a ‘strong’ rating.
Many Internet users are simply unaware of the importance of security. It is a huge concern, and you need to do your part to protect yourself. Even if you consider an account to be unimportant, the bits of information it contains can easily lead to bigger problems down the road.