The first rule of passwords: How to protect yourself online
Having a strong password isn't as tough as you might think, and possibly more important than you ever dreamed.
Some arguments are universal. Disagreements over which way to flip the toilet paper (over not under), the more superior pet (dogs not cats), or who would win a battle of pirates vs. ninjas (ARRR!), generally spark heated debate from both camps.
Differences aside, there’s one thing that is widely agreed upon: passwords are a thorn in the side, a pebble in the shoe, and a pain in the butt.
It’s a well-known truth that good password hygiene is a hassle. We know that our passwords have to be complex, often long, and frequently changed, but we’re forgetful, time poor, and surprisingly nonchalant about the whole thing.
After all, your password is the gatekeeper to your digital identity – unlocking the virtual front door to your online world of banking, shopping, dating, and communication.
And while we all know that a strong password is a good password, last year’s top offenders: “123456”, “password”, and “qwerty” are the electronic equivalent of locking your front door, but Blu-Tacking the key to the lock.
In happy days for hackers, these keys remain (bewilderingly) popular, year after year.
It gets worse. Recent high profile exploits of companies like Target and Sony reveal that not only do a large number of people set crummy passwords, but we also use the same passwords across multiple sites.
While this is certainly a convenient short cut (why remember ten passwords when you can just remember one?) it’s worth noting that we also reuse usernames; often your username is also your email address, so there’s not much choice in the matter.
Once a hacker has access to one set of information from a compromised web page, it’s a piece of cake to test those same stolen credentials across multiple sites, potentially hitting the information jackpot.
And it’s not just shoddy passwords that leave you exposed to the bad guys. Forgotten password retrieval tools will confirm your identity after the most obvious questions are answered correctly.
“What’s your favourite sporting team?” is a no brainer, if a hacker sneaks a glance at my Instagram account, replete with purple anchors.
It’s worth noting that when setting your password retrieval answers, they don’t have to be true, just something you’d remember. The real beauty is in obscuring your responses.
It’s all about the money, honey
With most of our business transactions moving online, our personal information has never been more valuable- with reports suggesting the hacker market is more profitable than the drug trade.
Walter White might have abandoned chemistry when considering stolen information can create a fake ID to buy medical supplies to sell on the black market.
Your data can be used to file a fake insurance claim, buy an expensive new house, or sneakily activate your webcam to listen in on business meetings.
Other red flags include surprise charges on your credit card bill, bounce back emails from people you’ve never contacted, or marketing posts on Facebook about your love of acai berries, despite having never eaten one.
Modern hackers have developed an impressive toolkit of ways to get at your personal data.
The simplest is through a brute force attack, a nasty piece of software that swiftly tests all possible six character password combinations, starting with 'a' and ending with '//////'.
Rinse and repeat for seven character password combinations, eight character passwords and so on, until you get a match.
The software also checks for commonly used passwords, names, and dictionary words (including international dictionaries), so if you think you’re outsmarting the bad guys by using foreign words – nein.
Shoulder surfing (sneakily reading your password or keystrokes from behind), inference (having a good old fashioned guess), and social engineering (simply tricking you into revealing your password) remain popular ways to access your information.
Weak authentication (taking advantage of bugs in outdated operating systems or programs that you haven’t gotten around to updating) is also common, so the next time your computer pops up a pesky update request; it’s probably a good idea to accept, from a security standpoint.
Long and strong passwords
Remember the brute force software attacks mentioned earlier? That nasty piece of computer code could be chugging along for years attempting to crack a long password containing upper and lower case characters, a few numbers, and some punctuation for good measure.
Edward Snowden’s suggestion for the best uncrackable password? “MargaretThatcherIs100%SEXY.”, although that one might be unsafely popular now that it’s seen the light of day (sorry).
Simply changing your password isn’t the silver bullet for your privacy worries though. A great and easy thing you can do is turn on two-factor authentication for all your accounts.
Log in from an unrecognised device and you’ll get a passcode texted to your phone. Even if somebody manages to steal your password, they’d need to steal your phone too.
Setting a passcode or fingerprint scan on your phone adds another layer of complexity to the mix. It’s not bulletproof, but it’s a pretty great start.
But why remember ten passwords when you can just remember one? Fortunately there are Password Management tools out there that are dedicated to doing just that.
PC Magazine favourite ‘Last Pass’ is available for Windows, Mac, and mobile allowing you to use one great password to unlock and manage all your other passwords.
There’s a suite of alternatives on the market, ‘KeePass’ and ‘1Password’ both strong competitors. All offer the ability to record all your passwords in a strongly encrypted location.
If they think any of your passwords are shoddy, they’ll suggest an alternative and take the hassle out of remembering it. Of course you’ll still need to remember the password to unlock that encrypted file, but you only need to remember one.
And while some will inevitably argue this is putting all your eggs in one basket, that basket is made of pretty tough stuff.
Eventually the very technology that forces us to have great passwords will be the same technology makes the humble password obsolete.
If you think the fingerprint scan to unlock your iPhone is impressive, wait until you get a look at Intel’s new offering ‘True Key’ that uses your face to unlock all of your passwords.
One look (quite literally) is supposed to get you in to anywhere you’d like to go; the app provides your password on your behalf once you’ve passed the biometric test.
Still in development is ‘MapLogin’, where your password is set as a GPS location that you find on a map.
Think of it like hidden treasure that only you know the location of the seventh hole at your favourite golf course, your mother-in-law’s house, or the Pirates ride at Disneyland (ARRR).
Simply locate the geographic location on a map and you’re in, easier than you can remember the colour of your second cousins’ third cat.
Future password advancements are rumoured to include using the veins in your hands, security tattoos, password pills, inkblots and even brainwaves.
Or you could always write your password on a post-it note and stick it underneath your hover board.
To sympathise (and chuckle) at the password woes of others, join the Twitter conversation at #PasswordConfession
Now if you’ll excuse me, I’m off to Blu-Tack my key to the front door.
Passwords aren't the only thing you need to be careful of online. Check out these digital habits to break as soon as possible.