Some time ago, I said that passwords were not secure and that I would be doing a blog post about it so you would know what to do.
At long last, this is that post.
When I first posted that warning to Facebook, I had just read an article talking about how successful hackers are in breaking passwords. The article contained alot of information about the methods and tools that hackers use.
Since I read that article, I have read a second article in Wired magazine about how one of its technology reporters had gotten his entire life hacked; everything he owned that was stored online was broken into and stolen.
Did this reporter have weak passwords or some other easy reason why it happened to him? No. His Gmail password was as long(16 characters including dashes -, upper and lower case, numbers and an exclamation point).
And it was still broken into.
So, if a techno-geek can be hacked with all he knows about security, what hope is there for us normal people?
Actually, there is hope. I will outline several Do’s and Dont’s for password creation and general online security.
But before I do that, a word: I am talking about online security, not about the computer you are sitting in front of right now. I dont want anyone to be confused about what I am saying.
Yes, you need good security on your computer, but an antivirus program will not keep someone on the internet from trying to break into your bank account.
So here’s what to do(from the Wired article):
Reuse passwords. If you do, a hacker who gets just one of your accounts will own them all. Dont use variants, either. I know its tempting, but dont.
Use a dictionary word as your password. If you must, then string several together into a pass phrase.
Use standard number substitutions. Think “P455w0rd” is a good password? N0p3! Cracking tools now have those built in.
Use a short password—no matter how weird. Today’s processing speeds mean that even passwords like “h6!r$q” are quickly crackable. Your best defense is the longest possible password.
Enable two-factor authentication when offered. When you log in from a strange location, a system like this will send you a text message with a code to confirm.
Give bogus answers to security questions. Think of them as a secondary password. Just keep your answers memorable. My first car? Why, it was a “Camper Van Beethoven Freaking Rules.”
Scrub your online presence. One of the easiest ways to hack into an account is through your email and billing address information. Sites like Spokeo and WhitePages.com offer opt-out mechanisms to get your information removed from their databases.
Use a unique, secure email address for password recoveries. If a hacker knows where your password reset goes, that’s a line of attack. So create a special account you never use for communications. And make sure to choose a username that isn’t tied to your name, so it can’t be easily guessed.
I know that doing these things are and will be complicated and frustrating, but right now its what we have.
A tip for remembering all of these new complicated things is to Write Them Down.
Get a little notebook from your local office supply store and write down all of your new passwords.
Set up a new online email account, or better yet, two. With different passwords.
One of these new emails is to be never used unless you are resetting a password, so that it wont be compromised. The other email address is one that you dont care about; these secondary emails are called “dump” or “dummy” emails. They are used when you are asked to register for a place that you will only use once, so that your main email doesnt get clogged with spam.
Now all you need to do is reset all of your current passwords to something stronger.
But, what is “stronger”? What you do is, take a book, open to a random page and choose four words from different places that dont go together.
For example, “correct horse battery staple”. If the reset form says you need an upper case and a number, then put one in. Just not at the beginning or end.
And Write Them All Down.