Password Security
How do you select and protect a secure password?
By: Robert Adams
Date: April 17, 2017
As consultants, it is our duty to get people in the habit of thinking about the security of their own personal information. Several things begin to happen when people take the security of their information seriously. First, they are less likely to become a victim of identity theft, having their bank accounts drained, losing access to all their online accounts, or something much worse. Second, they bring those newly formed habits and experiences with them to work thereby helping RobbLAW secure the organization. Everybody wins – except the attackers!
Selecting a secure password is important; selecting a secure passphrase is even better. “Passphrase” is a new term that is trending more and more frequently. It is replacing the word “Password” because the notion that a single word is strong enough to protect access to an account is no longer true. Instead, you need to use a more secure “Passphrase.” This is just the world we live in now – welcome to the modern age of the Internet!
To help everyone better protect the security of their accounts, here are some tips for selecting a secure passphrase, and before everyone starts complaining about them, think about the information at risk. We are talking about protecting your identity, your financial security, your money, your safety, your property, your investments, your files, documents, and photographs. Most importantly, we are talking about protecting your peace of mind from knowing that you are not a victim. We are also talking about protecting your spouse, children, friends, family, and everyone else you love and care about.
An attacker does not care who you are or what he is taking. Taking the last $20 from your account that you need for food or taking your identity to get a second mortgage on your house is money in their pocket; they do not care where it comes from or who gets hurt along the way as long as they get paid.
Remember always – this is what is at stake, and, YES, it is worth the hassle of following these six tips to protect it.
-
Select a 16 character or longer passphrase with complexity.
There are several ways to select a passphrase that long. For the more advanced user, there are password generation apps that will automatically generate a strong complex passphrase of sufficient length. Then all you do is copy and paste. For the more non-technical user, use one of the following two recommended methods. First, select four random independent words. The key in selecting them is that there cannot be any connection between them. For example, the passphrase “nannytentearringscheeto” is four separate independent words: Nanny, Tent, Earrings, and Cheeto. There is no connection between them which is why that passphrase is considered more secure than one that forms a complete sentence even though they are both made up of words. “nannytentearringscheeto” is considered more secure than the passphrase “ilovemydogmaverick” because the words I, love, my, dog, and Maverick form a full complete sentence. There is a connection between those words. Attackers can anticipate that when attempting to crack your password.
Complexity simply means including upper and lower case characters, numerals, and symbols as part of your passphrase. Keep in mind that anything you can think of, so can attackers. They know that people commonly replace “a” with “@” or “s” with “$”. The symbols should not replace letters in your passphrase. Instead, they should be used to supplement the words being used at the beginning, ending, or in the middle of words to break them up and confuse attackers.
-
Never use information that can be easily researched in your passphrase.
A lot of people are guilty of this and they may not even know they are doing it. In today’s world of social media, people love sharing information about their life online. Almost everyone has at least one social media account with at least one post weekly if not more. People love sharing things about themselves, but if an attacker can go to your Facebook page and see that you are posting pictures of your dog Maverick, now they know something about you that they can use against you to crack your password. If an attacker can go to your Instagram page, for example, and see that you are posting pictures of your birthday party last weekend, now they have an idea of when your birthday is so they can use that against you to crack your password. Some social media sites, like Facebook, even post a timeline event telling people it is your birthday automatically.
We are not suggesting that you should not post that kind of sensitive information about yourself if you are comfortable doing so. Instead, we are saying that if you do choose to post it, then that information should not be a part of your passphrase.
-
Never use the same passphrase on more than one site.
Each account you access should be secured with a separate and unique passphrase. This protects all of your accounts and even your entire digital life. If one of your passwords were to become compromised, then every account that uses the same password has also been compromised. This means you could have just compromised your entire digital life and recovering from that is nearly impossible.
Think about what happens when you click on the “Forgot Your Password” link. Most websites email you a link to reset your password; however, if you are now locked out of your email account, along with all your other accounts because they share the same password, you may or may not be able to recover access to those accounts.
You can avoid compromising your entire digital life by using a separate and unique passphrase for each account. If every account has a different passphrase, then if one is compromised, you have not compromised your entire digital life. It is easier to reset one passphrase to regain control of that one account than it is to regain control of your entire digital life.
-
Never write your passphrase down or save it to a file on your computer.
This should go without saying but people still love to write their password down on a piece of paper and leave it near the computer. What good does it do to secure your computer with a password if you leave it next to the computer? That is like leaving the keys to your car on the ground under the driver’s door; you are just asking someone to steal it. That is what you are doing when you write your password down and believe it or not, the same is also true for saving your password in a Word or Notepad file.
Instead of writing your password down or saving it in a file on your computer, there are a couple of options to securely store your password. First, use a password vault to store all your usernames and passwords in an encrypted database saved to your phone. All you have to remember is how to unlock your phone with your passcode or thumbprint and the master vault password, which can also be your thumbprint.
The second option is to intentionally forget your passphrase. Start by setting a secure passphrase. Those that you use often, at least daily if not more, you will remember because you use them so frequently. Those that you use less often will probably be forgotten, but that is okay. Because it is a secure passphrase that you did not write down anywhere, your account is still relatively secure. When you need to access that account, click on the “Forgot Your Password” link and reset your password. You will get into your account and probably forget the passphrase again by the next time you need to access that account. You will repeat that process over and over each time you need to access that account. For less frequently used accounts, you will probably never remember the passphrase and, again, that is okay because the account itself is still relatively secure because you did not compromise the passphrase by writing it down or saving it to a file somewhere.
-
Never give your password to anyone.
If you were walking down the street and someone stopped to ask you for your password, would you give it to them? Hopefully, your answer is “no.” After all, no is the only correct answer. If anyone asks for your password, you should always say no; however, it is extremely easy to get tricked into giving someone your password.
There is an entire science behind tricking people into revealing information they would not otherwise naturally divulge. It is called Social Engineering and it is commonly used by attackers to get someone’s password. Because of Social Engineering, it is possible for someone to trick you into giving them your password and attackers are so good at it that you may not even know you have been tricked until it is too late.
It is frightening how effective Social Engineering is at getting people’s passwords so how do you protect yourself? First, be aware of what your passphrases are made up of and never use information that can be easily researched. Second, be aware of who you are talking to and the type of information you are feeding them. Remember, not even a law enforcement officer can make you talk if you choose to remain silent so you always have the option to say nothing to anyone.
-
Enroll in two factor authentication.
Two Factor Authentication, or 2FA, helps to protect the security of your account because it requires a second method of proving your identity instead of just relying on your password. This is where you typically receive a text message with a 6 to 8-digit number that you have to enter on the website to verify your identity before being logged into the site.
Many commercial websites now offer 2FA services including online banking websites, Amazon, Facebook, Google, Yahoo, and many others. You need to manually enroll in 2FA on each of those sites because it involves configuring it to send you a text message or telephone call. It usually only takes a minute to complete and the only cost is for each incoming text message or call.
Many people consider it to be a hassle to have to get the code and enter it each time you login; however, that one time you get a code at 2am while you are sleeping, you will know someone is out there attempting to access your account. When you wake up and see that code, you will be able to immediately call that company and suspend your account. If you were not enrolled in 2FA and someone was attempting to hack your account, you may not find out until it is too late.
If you ever have any questions about the security of your accounts or any of the tips above, RobbLAW is here to help. Contact us.