There was a time when someone had to come to your house to rob you, or find you on a sidestreet when no one was looking. Now, someone can steal your money, your identity, and more, all from the safety of an anonymized connection anywhere in the world.
Rules for online security that worked a few years ago simply do not work anymore, though, and staying with the times is important. I’m going to walk you through some important, easy — if occasionally super annoying — steps to take control of your personal security online. We’ll walk through some caveats, things you and I have no control over, then head into how to make a good password, how to keep track of your passwords, and how to make your accounts more secure when possible with things like Two-Factor Authentication.
Everything can be hacked
Let’s say you have a bike, and you don’t want to see it stolen. There are a number of measures you can take. You could leave it laying against a tree outside your house. You could wrap a cheap chain around it. You could get a Kryptonite U-lock.
The thing is, someone can always steal it. It’s just a matter of how badly they want it. They could just steal the whole bike rack. They could use a jackhammer to pull the rack out of the concrete it’s embedded in. The only way to not have your bike stolen is to not have a bike.
The same goes for houses, cars, and passwords. But just like you need a place to live, it’s all but impossible to avoid getting online to some degree. It’s never the victim’s fault for being victimized, but you can protect yourself.
Every measure you can take can theoretically be hacked, but the more difficult you make it, the less likely such a scenario is. Just because something isn’t perfect doesn’t mean it’s not worth doing.
When, not if
The frequency with which sites are hacked and password databases are leaked these days means that it’s not a matter of if one of your passwords is exposed, it’s a matter of when. That inevitability makes all of this much more important.
You can only secure yourself
That’s good life advice, but it’s pertinent here, too. Some sites use inexcusably terrible security. Sometimes those sites are ones you want to use or, worse, can’t avoid using. Those sites are all the more reason to improve and increase your personal security. You can only make yourself safer – you can’t force some random site or your employer or whoever else to switch away from less secure encryption.
In summation: everything can and will be hacked, and half the world is using outdated security. Alright, let’s all set our passwords to password1 and just await the coming apocalypse.
Or maybe we can do something about it.
Use strong passwords
Using strong passwords is the first and most important step to this. While some experts believe we might live in a passwordless future sometime soon, password and security expert Mark Burnett disagrees.
“Passwords will never go away,” he told me via email. “We will always need that secret that only we know. But what will change is our dependence on passwords as our only defense.”
The thing is, what made a strong password a few years ago doesn’t work anymore. It used to be “hard to guess, easy to remember.” The problem is, nobody guesses passwords anymore. Instead, they’re stolen en masse, leaked, and then compiled into huge password dictionaries to be used by those who want to rip you off.
In the video below, which our own Joey Davidson picked up on recently, computer scientist Dr. Mike Pound demonstrates in great (if somewhat meandering) detail how this all works.
Nobody sits at a terminal trying to guess your password.
When you create a password, the server you’re storing it on — if it was put together by anyone remotely competent — runs the password you’ve put in through an algorithm that generates a complex string of characters to represent that password. Typing in “password” might end up as “$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/” on the server. The hash is easy to create, but difficult to reverse. It’ll also do what’s called adding salt to the password. The same way you add salt to your eggs to spice them up, site add something extra — a randomly generated or secret string — to passwords to make sure they’re not the same as what you’d see in a list of passwords. A randomly generated salt also means that when two people use the same password, their entries in the database aren’t the same. Salting and hashing passwords not only sounds delicious, but it makes them more secure as well.
When a company says they don’t store your passwords, they’re telling the truth. They store this scrambled data string instead. When you submit your password, it re-generates it and checks to see if those scrambled strings match up; your original password is never stored anywhere.
If a server is compromised and a database of hashed passwords is leaked, a hacker will then run what’s called a dictionary attack on these hashes – there are other attacks as well, but this is a common, easy, and powerful one. In a dictionary attack, the tool the hacker is using generates passwords using a dictionary of known passwords, generates the matching hash, and compares it to yours. If they match, then they’ve figured out your password.
A computer outfitted with an off-the-shelf graphics card can perform billions of such comparisons per second. The shorter and less complex the password, the easier the dictionary attack is and the less time it takes to find a match.
As Pound demonstrates in his video, shorter passwords can be cracked in seconds. if not microseconds.
A common piece of password advice is, “Don’t use any personal information in a password.” Even in this day and age, it’s still good advice — not just because it makes your password harder to guess, but because it helps keep your (cracked) password from appearing in a dictionary. And once a password appears in a dictionary, it’s fair game for an automated dictionary attack, and thus less useful.
If your password is MinnesotaTwins1991, it’ll pop up in a dictionary at some point, as the above video demonstrates. Even if, at 17 characters, it’s a pretty long password, it’s made of exactly the sort of passwords that pop up in these databases.
So, how do you make a good password? This is where things get kind of miserable, but stick with me and we’ll get to some great tools that make the process nearly painless.
- Don’t reuse passwords. “Using easy-to-crack passwords and then re-using those week passwords on all of their accounts” is one of the most common ways people leave their accounts exposed online, according to LastPass vice president Joe Siegrist. “It’s all too easy for your one password to fall into the wrong hands.” If you use unique passwords for each account and one is compromised, you only have to reset one password – not 10 or, worse, 45.
- Use lower case, upper case, numbers, and, if possible, special characters. Not all sites allow all of these, but the more, the better.
- Make your password as long as the site in question will allow. If you’re using randomized passwords, a 64 character random password would take long enough to break that it might as well be uncrackable. It won’t appear in dictionaries, and is all but impossible to brute force. Seigrist recommended at least 20 characters when we spoke via e-mail.
- Don’t use l33t sp34k. Dictionary attacks know how to compensate for that. The increased character space is good, but it doesn’t do as much to make it more secure as you might hope.
- Use randomly generated passwords. The chances they’ll appear in dictionaries is low and gets lower with more characters.
- Don’t use words found in the dictionary if you can avoid it.
Just one, but it’s a good one
If you’re taking full advantage of the password managers we’ll get into below, you’ve set all your passwords to long, random, and nigh uncrackable strings, each different from the last. You now have just one password to rule them all. It needs to be a good one, and it needs to be memorable, so the long random string is out of the question.
Two great starting points are Randall Munroe’s comic XKCD and his take on the subject, and the follow-up video from Dr. Mike Pound about building good passwords.
All the rules from above apply to this, but building a memorable password that is also secure requires us to bend those rules a bit. The password still has to be long, and it still has to be tough to break with a dictionary attack. A phrase made up of multiple words is a good starting point. If you make sure to get a number, some randomly placed punctuation, and an uncommon word in there, you end up with a password that’s easy to remember, easy to type, but still secure.
Password managers generally allow as many characters as you can think of for their password schemes, so you can go wild and come up with a unique sentence.
2 Honey badgers f%ught over the zebra’s hat. Otters pro_bably like cotton candy.
I’m not kidding; get as weird as you possibly can. Use words from other languages or words you made up as a kid. Anything that has meaning to you that doesn’t have meaning to anyone else can help!
Use Two-Factor Authentication whenever possible
The philosophy for best passwords right now is that they should consist of “something you know, and something you have.” That’s called Two-Factor Authentication, or 2FA for short, also called multi-factor authentication by some. This is where that lessening dependence Burnett mentioned comes in; he said that authentication “utilizing mobile devices, fingerprints, and one-time codes will greatly minimize the problems of weak passwords.”
You can see big sites like Google strongly suggesting options like these to users, with the most common option for 2FA being a text message. At login, Google sends you a text message with a short number that you’ll punch in in response to prove that you’re you.
These options, again, aren’t perfect. In that nightmare scenario where you’re in an episode of Mr. Robot and someone is targeting you – yes, you – and they’ve stolen your cellphone or something like that, they they have the ‘something you have.’ But in real world scenarios, 2FA massively increases security for the vast majority of scenarios. In fact, the National Institute of Standards and Technology is beginning to recommend that SMS-based 2FA be phased out in favor of push authentication, cryptographic authentication, and biometrics.
If your bank’s password database leaked, the 2FA you turned on will ensure that you retain access to your account until you can get in and change that password (and any other duplicates you hopefully had already gotten rid of by this point). It also means that you get a notification when someone tries to access your account, so you can take action proactively.
2FA is getting better and more common all the time, too. Microsoft, Google, and others use push notifications that allow you to simply click Yes on your cellphone instead of having to read and punch in a six digit number that’s going to time out in 10 seconds.
And if you don’t like text messages, many sites have Authenticator servers. Using a mobile app like Authy or Duo, you simply open the application, punch in the PIN you set (this is optional, but recommended), and click on the icon for Amazon or Google. You’ll get the six digit number which you can then even copy and paste into the other app.
The phone itself provides another layer of security, too. Even if someone stole your phone, they’d have to get past your lock screen security, like a fingerprint or pattern, and then figure out your pin. At this point, they’re going to realize they have juicier targets to go after. Unless you’re at the center of some vast, international conspiracy or something. But then, you’re probably two steps ahead of all this anyway in that case.
Similarly, Google and some other sites allow you to use one or more USB keys as a way to authenticate, removing the need for a phone and the required cellular connection entirely. If you prefer an even more analog option, you can even print out a set of one-time-use codes to store in your wallet.
As a matter of personal preference, I use the option offered by apps like Authy that allows me to generate a number when I’m ready rather than having to wait for it, but even with the delay of waiting on a text, the extra security is worth it – especially on sites that store information like your home address and credit card number.
Siegrist, who recommended the LastPass Authenticator, said that 2FA is “something most people have heard of, but not enough of us are actually using.” Simply activating it puts you a huge leap above everyone else.
Your mother’s maiden name and the street you grew up on
Another way to protect yourself is to put false info into a site’s security question fields. Those password managers will get into in a moment can store these false answers easily, and they’re much harder to pull up through social media.
It’s unlikely that you’ll be individually targeted, but as outlined by security expert Brian Krebs last year, any “static identifiers” on your account are potential in-roads for further access. Static identifiers are pieces of information about you that won’t change or don’t change easily; your social security number, your date of birth, and your address are three such identifiers.
While many companies depend on those static identifiers for account recovery, you don’t need to give them any more than the ones they already use.
We can manage all these passwords
The toughest part of converting from using passwords you know to randomized passwords is that, unless you’re Rain Man, these are not passwords you remember. Instead, a password manager becomes necessary.
Before we talk about password managers, I want to hit on one of the big arguments often presented against password management software. In essence, you’re keeping your passwords all in one place. If someone got that password, they’d have all of them! And, indeed, if someone were targeting you in particular, that’s possible. But the vast majority of password compromises are not targeted attacks, where someone goes after you specifically. Rather, they’re attacks of opportunity – the leaked databases we talked about above.
The benefit though, as noted above, is that you can use different passwords for every site without developing chronic headaches. If one site is compromised, only one password has to be changed.
While there is the theoretical weakness of having your passwords all stored in one place, the strength of unique, strong passwords is going to apply far more frequently and protect you in far more situations.
There are other benefits, too. Some managers let you store your database online, and you can even incorporate things like photos of your insurance cards and ID for reference later. Many offer two factor authentication to access the database. Automatic password capturing, syncing, and updating are frequent features as well, and many have mobile apps.
There are too many to go over in detail here, and different users will have different needs. KeePass is free, open source, and offline. Services like LastPass have free options as well, but operate out of online databases and browser extensions. They have more user-friendly autofill functions than KeePass, and are even able to do things like automatically log into sites and update passwords for you – depending on the site. LastPass is free to use, and the yearly subscription gives you access to the mobile app, and it’s only $12 a year. Options like DashLane, 1Password, and RoboForm each have their own slightly different feature sets as well, and are worth checking out in your quest for the right option.
There’s a tradeoff with using a service like LastPass, as opposed to a standalone program like KeePass. If you use a service, you’re entirely at the mercy of that service. (What happens if they get sold?) It’s also something of a black box, in that you don’t really know how your data is protected. An open source application like KeePass is beholden to no one, and it’s possible to know the way it stores and protects data by auditing the source code.
No matter which manager you use, it should be something that is getting tested by other people. True security requires people testing the security. KeePass allows public auditing of its code through open source licensing, and LastPass has been transparent and proactive about inevitable security issues that have come up.
One feature that helped push me toward LastPass was their Security Challenge feature, which shows you how many re-used passwords you have, how often you’re reusing them, and how weak or strong they are. While Seigrist wasn’t able to provide specifics about how the feature has improved security for his userbase, he highlighted exactly what I love about it: “You get the satisfaction of seeing your [Security Challenge] score climb toward 100.”
I’m a gamer, and the score and ranking definitely triggered my desire to improve.
For most people, the convenience of a service is going to far outweigh the potential problems of relying on one.
Be careful with shady browsing and clicking
I’m not going to ask you where you go or why, and I’m not going to judge you, but sometimes you want to go looking for something that brings you to the shadier side of the internet, where ads go from simply annoying to actively dangerous.
This is where “everything can be hacked” comes back into play. When electronic security methods prove tight enough, social engineering is the next step for hackers, such as getting you to click on tempting or confusing links. If you pick up a trojan because someone promised you a free Starbucks giftcard, or you clicked on those pictures from your brother (that weren’t pictures, and weren’t from your brother), and get infected, then all the strong passwords and 2FA in the world won’t help you.
Those who create these targeted attacks are getting better and better at making their emails look real, and something that triggers an emotional response, like an email from your kid’s school’s principal is going to have many people clicking before they think about it.
Be suspicious and be careful. For many of us, this is common sense, but it bears repeating because it’s easy to get lazy.
If you aren’t 100% sure you can stay away from the shady places, get an antivirus suite. Many of them have gotten much better over the years. Consider using an email solution like Gmail instead of a self-hosted solution, as they’ll tend to do a better job of filtering out phishing emails which are getting frighteningly good in some cases and malicious attachments. For every email from a Nigerian Prince, there’s one that looks almost exactly like an email from your bank.
Another trick that is helpful is to use the “private browsing” mode on your browser. Everything that takes place within a private browsing session is discarded when you close that browser. This reduces the chances of anything from one of those sessions being put into the browser’s persistent storage, and thus gives attackers that much less information about your behavior that can be used against you.
If you need to supply an email address for a site that you’re not confident about, use a throwaway address. It’s easier than ever to get one now. Services like ThrowAwayMail.com provide this at no or little cost.
In general, don’t give information when you’re asked for it – go put it in yourself. Log into your bank site via your usual bookmark instead of clicking on the link that was sent to you.
With these tools at hand, and a bit of grunt work getting your passwords in line, you’ll end up far more secure than when you started. If you’re already taking these steps, what password managers and authenticator apps are you using? Jump in the comments to let us know and let us know what measures you’re taking to stay safe and secure online.