The most common techniques that criminals use to gain access to online accounts is through exploiting poor password security. In this article I'll explore the different methods people use to secure their online accounts, and briefly guide you through the strengths and weaknesses of each strategy. Hopefully this will help you to secure your accounts a little better and prevent unauthorised people from gaining access to your accounts and the information contained within them.
Choosing a password
There's a lot of tips out there on how to chose a secure password, some of which is good advice, a lot of which is useless or old and irrelevant advice.
You don't have to regularly change your password. By changing your password regularly, most people fall into the trap of using patterns, such as just changing a number at the end of the password. Patterns make things more predictable and thus easier to guess. It's fairly easy to realise that once you learn someone's password was previously “password12”, it may now be “password13” or something similar.
You should certainly change your password if you have even a tiny suspicion that your account has been compromised or that somebody has learned what it is.
A longer password is more important than a more random password. Generally, a password of at least 12-15 characters (letters, numbers, symbols) long is recommended. If using a passphrase like “IlovetobeSuperSecureOnFacebook” is more memorable than “6Epo%DU”, go ahead. In the book Perfect Passwords by Mark Burnett, he writes “Usually all it takes is a password just two characters longer to make up for a lack of other types of characters such as upper-case, numbers, or symbols”. This is because the length of the password also relates to how difficult it is for a computer program to guess (crack) the password.
In addition to having a long password, you should make it as unique as possible. Using a password like “passwordpassword” for all of your accounts is hardly going to earn you any points.
Generally, the best password is one that you don't even know yourself, which may at first seem like a strange concept, but I'll get back to that later on in the password manager section.
Managing your passwords
Using the same user name and password for everything
Just don't. Seriously.
- Easy to remember.
- If one account is leaked, breached, or otherwise accessed by somebody, they will also have your login details for every other account you use. If you let somebody borrow your laptop password, for example, and they also knew what your email address is, or the user name you normally use online, they will be able to access your entire online life. They'd be able to read through all of your emails, see your private messages on Facebook, steal your identity to post messages, buy things from your store accounts etc. Just don't do it.
Remembering each password in your head
If you follow, at the bare minimum, the best practise of having a different password for each online account, and then consider that the average person has 22 online accounts (according to figures in A Large Scale Study of Web Password Habits published by Microsoft in 2006, meaning that there's likely more than an average of 22 accounts now, a decade later), remembering each password would be impossible for most people.
- You are the king/queen of long term memory. Congratulations.
- It's more likely that you're going to forget most of them after a short period of time. Be ready to have to recreate and recover a lot of accounts in the future!
Using different passwords, but keeping the passwords written in a book or note somewhere
I've also seen people keeping their passwords on a post-it note under their keyboard, written on stickers on their screen etc. I've even quite despairingly witnessed people in businesses with a password text document on their computer's desktop.
- Easier to keep track of multiple passwords at once.
- If the book is lost or destroyed, you've lost your passwords.
- You will need the book to be near to you whenever you need the password, which might involve moving it to an unsafe environment.
- It's quick and easy to steal a password book. It doesn't even need to be physically removed, somebody could simply flick through it and take photos of each page on a mobile phone while you're out of the room, for example.
- Having a password written down near to where you use it is a lot like having the numbers to open a combination lock engraved into it. It basically completely undoes the point of a password in the first place. This is especially true for people that keep text documents on their computer for their passwords, which is extra inviting to less savoury types.
- Handwriting may be an issue. I wish I was kidding, but I've seen this happen first-hand with a customer that kept a password book.
Using a password manager
You can think of a password manager as a sort of digital bank to store your passwords in. There's many password managers available to chose from, each with a slightly different set of features. A password manager can securely take care of your login credentials for each of your accounts so that you don't have to. When visiting a website you want to log into, you enter a master password which unlocks the password manager, then the password manager takes care of the rest. This is similar to the convenience of having one password for everything, and a book to store them in, but with a lot less risk involved.
Remember to change your master password if you have even a tiny suspicion that somebody else might have found out what it is. This is one password to rule them all, so make sure it's a very strong one, and treat it like it's precious (if you'll excuse the Lord of the Rings comparison.)
I personally use bitwarden because it is open source and trusted by various security professionals I follow. Other popular and widely-used password managers available include 1Password, Dashlane, LastPass, and StickyPassword. Be wary of other less well-known password managers as they may be a scam.
- Strikes a nice balance between convenience and security.
- You could take an extreme approach with a password manager, following the ethos that “the only secure password is a password you can't remember”. This is done by using randomly generated passwords chosen by the password management program and not remembering them yourself. By using this technique, nobody could even beat the password out of you. I personally do this as I take my (and my customers) security very seriously but this approach is slightly more cumbersome and probably a bit over the top for most peoples needs.
With a lot of password managers you have to entrust your passwords to a third party, and it may feel a lot like sticking all of your eggs in one basket (and a basket that somebody else is holding for you!) Some of these services have been attacked in the past, however they are generally very transparent in the rare event of a hack and they will tell you immediately if you have been compromised.
You could chose to use a locally stored password management program as an alternative if you are worried about where your data is kept but the way that almost all password managers work is by encrypting the data on your local device before it's even sent outside of your network so if your data was accessed on their servers it would be completely useless to a hacker. So long as you use a secure master password that nobody else discovers, you'll generally be safe.
Use multi-factor authentication (also known as two-factor authentication, 2FA, two-step verification, 2SV). 2FA normally means that you'll receive a code through a text message on your phone (or a specialised app) to enter alongside your username and password as an extra layer of protection to prove that you are who you say you are when logging in. It adds a bit of extra work to sign into your account, but it also adds an extra mountain for potential hackers to climb in order to access your data. Popular online services that use 2FA include Facebook, Twitter, Gmail, Dropbox, PSN, Microsoft, and plenty of others. Check the settings page on these apps or websites to see if they offer a 2FA service, it's well worth it!
Multi-factor authentication can also include biometric identifiers, such as facial recognition, fingerprint readers, and iris scanners, but these bring with them their own set of issues. Unlike a password, biometrics can't be changed. Some biometric identifiers can be relatively easily copied, but for low-risk accounts they may be worth it for their speed and convenience. If used in conjunction with a regular password instead of as a complete replacement, they're a welcome extra hurdle against hackers, and certainly better than having nothing extra at all!
Don't log into public or shared computers. It's not worth the risk when they may, even unknowingly, have keyloggers (hidden programs that record keyboard presses) or something similar installed. If you absolutely have to use an other persons computer to sign in, use the private browsing mode to browse the internet as a precaution. This way at least your password and visited websites aren't as easy to retrieve from most healthy systems.
Don't log into your accounts using public Wi-Fi hotspots. It's surprisingly easy to spoof a lot of public Wi-Fi hotspots, or to extract data from them, so it's really not worth the risk in most cases. If a hacker is smart about it, this can be done completely transparently without any indication that it's even happening. No amount of antivirus in the world can protect you from these types of attack.
A precaution you can try is visiting websites where the connection is encrypted, such as websites where the address starts with https and has a green lock in the address bar. It's a little more complex than that, but that's a whole other article entirely. You can also try connecting to public hotspots through a VPN (virtual private network) as an extra layer of protection, which I would generally recommend if you use public hotspots a lot.
Lock your screen when you leave your computer in a public or shared space, even if it's just to go make a coffee. It only takes a few moments to extract data from an unlocked computer or mobile phone. Holding the Windows and L keys together on your keyboard will lock most computers. Normally, a quick press on the power button will lock your phone.
Use fake answers to security questions to avoid social engineering attacks. These security questions exist to recover your account if you forget your password, but can just as easily be used by other people. If somebody really wants to access your account, they might find ways to research this information or coax the answers from you or other people that know you. Just make sure to remember your fake answers… You get bonus tin foil hat points for using different fake answers for different sites! A useful trick is to use your password manager to store the fake security answers too. Generally, you can use them for any sensitive authentication information.
Make sure there's no malware on your computer. Some malicious software is designed to extract passwords from your system either by extracting them directly from your browsers, or by using keyloggers and all kinds of other weird and wonderful techniques. By keeping the general health of your computer in a good condition, you're less likely to suffer this kind of attack.
Don't use your browser's default password manager. These are targeted by some malware, and surprisingly easy to break into in most cases. While extremely convenient, if you want to take your security up a level, it's worth considering abandoning them. You can clear the remembered passwords from your browser in its settings if you want to start this habit, or if you accidentally ask it to remember a password. You can also disable the feature entirely in most browsers.
Change the default password on your devices. If somebody knows what the default password is for one of your devices (your router, CCTV system etc), using the password that it came with is effectively the same as using no password at all and leaves it very easy to bypass.
Extra tips for mobile users
Use a passcode longer than 4 digits long. The longer the passcode, the harder it is to guess, or for people looking over your shoulder to remember… And for goodness' sake, don't use your bank PIN or birthday as your passcode.
Disable the visible lines on pattern lock screens. Pattern unlocking is the square grid of normally nine dots that some people use to unlock their phones. The lines which your finger creates as you draw the pattern can be watched easily by people “shoulder surfing”. By disabling them in your phones settings, it makes them harder to copy. It also might be a good idea for you to increase the size of the grid, if your phone allows it.
Rub the fingerprints from your phone each time you use it. If you're the kind of person that is extra paranoid about security, you should be aware that people can in some cases guess your passcode or pattern password from the marks that your fingers leave on the touchscreen. A bit over the top you might think, but worth considering for completeness' sake.
Your bank and e-mail host aren't going to let hackers try and guess a million attempts at your password of course, but some websites might, and that might just be the weak link that leads hackers to having access to more sensative accounts. When it comes to your online security, risks are really not worth taking, you probably have a lot more to lose than you think.
Making your digital life as secure as possible can be a fun challenge for some people (or a pain in the arse to others) but either way it is incredibly important. Just make sure that whichever methods you chose to protect yourself that you don't get locked out of your own accounts!
Hopefully you've learned some new tricks here, and found my collection of tips and tricks a helpful starting point! Password security is only a small part of an overall secure system so of course please get in touch if you'd like further advice on securing other aspects of your cyber security. This has only been a quick and brief article (honest!) on the topic of password security. There are many books, papers and other articles online from which you can read deeper into the topic if you wish to do so, but please be sure of their credibility and that they are still relivant to todays digital world.
Written by James Allen, September 2016. Last updated January 2017.