Genuine Curiosity

Author Dwayne Melancon is always on the lookout for new things to learn. An ecclectic collection of postings on personal productivity, travel, good books, gadgets, leadership & management, and many other things.

 

Do's and Don'ts for Password Creation

In today’s world of online shopping, online banking, cloud data management and Internet-based teleconferencing, protecting yourself is more important than ever. The recent batch of stories relaying the horrors of celebrities and corporations being hacked and sensitive data being exposed only serves to highlight the necessity of having good security. The first place to start is with your own passwords.

People assume that if something has a password, it is protected. This is not always the case. Many hackers are adept at guessing passwords, giving them total access to all of your personal information.

How can you make your password more secure? There are several techniques you can employ, all of which will increase the strength of your passwords and help keep you and your information safe and secure. Here are a few do’s and don’ts.

Do's

Do go long. The longer the better. While you don’t want to go crazy because long passwords can be impossible to remember, make sure yours is longer than nine characters. Can't be bothered to come up with your own unique passwords for every site you belong to? Check out Norton's free password generator where you can specify length and contents at the click of your mouse.

Do mix it up. Have a combination of lower case letters, capital letters, numbers and symbols, preferably at least two of each. And don’t put them in a predictable order (in other words, don’t start your password with a capital letter).

Do use an anagram. Create your password using an anagram or sentence. “W!t2gMp&#b4uX” may look impossible to remember until you realize it stands for “Wait! try to guess MY password and numbers before u FAIL.”

Do take precautions. Remember that even the best password is not foolproof. For added protection, take advantage of services like LifeLock. It'll keep track (and alert you) of any suspicious activity on your accounts and will help you get your life back on track if identity theft happens to you.

Do use a password manager. Keep your passwords in a password vault (such as 1Password, LastPass, or a similar product). These products allow you to create random, complex passwords for each web site and stores all of them in a secure manner. 

Do change it regularly. If you've had the same password for more than a year, it is probably time to change it. I recommend a minimum of once per year - more often for critical sites. For example, I know someone who changes their online banking passwords at every time change (the same time he changes batteries in his smoke detectors). That is a good habit.

Use two-factor authentication, if it is available. More and more sites are offering two-factor authentication in which you not only enter a password, but you have to enter an additional verification code that changes all the time. The most common method these days is to send a text message to your mobile phone with a code that must be entered to complete the login process. Many banks and payment processors (such as PayPal) offer this as an option - it is easy and adds a lot of security to your account, and is highly recommended. 

Don'ts

Don’t use common passwords or familiar patterns. Using common passwords that are easy to remember might sound like a good idea, but they are often the first ones tried by hackers. Don’t use things like “iloveyou” and “password1." Check out the 25 worst passwords and read as a cautionary tale.

Hackers are also adept at using familiar patterns to guess passwords. Putting a capital letter at the beginning, numbers at the end or finishing with an exclamation point are all very common and predictable.

Don’t use your names or numbers. Avoid using common names or people in your life as part of your password. Also avoid things like the street you live on or the company you work for. All of these can be found out by doing a little digging.

Same goes for any numbers that can be associated with you or someone close to you. Birthdays, anniversaries, addresses, social security numbers, etc., all of these are easily discovered by potential hackers.

Don’t overlap. Using the same password for multiple devices or multiple websites can put you in danger. It may be a pain to remember all of them, but if a hacker is able to deduce one of your passwords, it is the first thing he will try on the rest of your security locations.  See the "Do" about password managers for ways to make this easier. 

Don't be a victim in the eBay data breach

If you're an eBay user like me, you'll have seen the news about their recent data breach in which users' names, email addresses, physical addresses, phone numbers, date of birth, and encrypted passwords were taken.  As part of my day job, I have been involved in sharing information about this incident, and thought I would share some of my thoughts here.

From the information publicly shared by eBay, it appears that the data breach involved securely encrypted passwords, which makes it more difficult to gain access to users’ eBay accounts en masse, as it will require brute force decryption (i.e. high-speed guessing) to determine the specific characters in an individual's password.  If you use a simple and/or a short password, the chances of them guessing your password quickly are much higher and if you re-use that simple password on other sites, your risk goes up greatly.  Remember, once the attackers have your email address and at least one of your simple passwords at that point, they can start trying that combination on other sites to see if they can get lucky.

The fact that user email addresses, physical addresses, and dates of birth were taken in the breach is more concerning.  Criminals could use your personal information to masquerade as eBay customers on other sites, or perhaps use knowledge of that data to ‘social engineer’ their way into users’ other accounts on other services.  Unlike the passwords themselves, the other user-specific information was not encrypted and therefore could be easily reused by attackers.

eBay will ask you to reset your password - do it, even though it appears they will make this optional.  Furthermore, use a complex password - I suggest that you use a product like 1Password or LastPass to help you manage passwords online (I use 1Password, personally). These products can help you create a strong password by suggesting and saving a highly complex password.  Of course, you should also make certain you are not using your eBay password on any other sites.

Many eBay users also have their accounts connected to PayPal for payments (PayPal is owned by eBay, but their statements indicate that PayPal was in no way involved in the data breach).  For additional security, I recommend you make use of PayPal’s optional feature which uses 2-factor authentication to verify the users’ identity prior to making a payment (you can find more information on PayPal's site).  Given that PayPal is linked directly to your bank accounts, this is a best practice even if there had not been a data breach at eBay - I have been using this multi-factor approach for a couple of years and it adds an extra step in the buying process, but provides a great deal more security.

Finally, eBay users have long been a popular target for phishing emails, and users must be especially wary during incidents like this.  To be safe, do not click on links in emails about eBay security or password changes; instead, type the eBay URL directly into your browsers and log into the site that way to prevent disclosing your credentials to spoofed, malicious copies of the eBay site.

Is "monkey" your password?

A while back I wrote about passwords and how to tell if yours has been compromised.  Meanwhile, I have been watching the news with fascination regarding many of the well-publicized password leaks and breaches, and have been amused at some of the popular passwords.  Seems like there are a lot of basketball fans out there who like to use "jordan" as their passwords in honor of Michael Jordan.  There are also a lot of profane passwords, as well as "password," "12345678," and other simple passwords.  

One password that was amusing to me -- and for which I have no explanation -- is the popularity of "monkey" as a password.  It showed up pretty high on LinkedIn, Gawker, Sony, and a few others…who knew?

Anyway, I recently ran across an info graphic that I think does a nice job of putting the password complexity in context, and I thought I'd share it here.  Pretty interesting to see how minor increases in the length and complexity of your password can make a huge difference.  And remember - the Pros are the guys you should be worried about - not the "Noob" hackers.

Follow LifeLock on Twitter

Should you change your password?

There have been a lot of well-publicized data breaches in the news lately, and I always wonder if I've been affected by them.  When credit card data is affected, you get a letter from your bank or card issuer (I've gotten a few), but when it comes to web site hacks that go after passwords, you never know.  Or do you?

I'd like to share a couple of resources you can use to find out whether you should be concerned, as well as a couple of things to help you increase your password effectiveness in the future.

Find out if you've been a victim

A site called "ShouldIChangeMyPassword.com" has aggregated (as of this post) 11,802,026 compromised passwords from a large number of the publicly disclosed data breaches.  If you go to the site and enter your email address, it will tell you if your email shows up in the list of compromised accounts.  In my case, I've been breached at least once, as the graphic below shows.

SICMP

My password was compromised in the Gawker Media breach but, fortunately, I used a unique password so my exposure is very limited.  I also changed my password the moment I found out (Gawker was very responsible in their notification, and I knew within a few days).

Other sites you can use to find out if your password's been compromised include:

 Stronger passwords in the future

Portable thumbnailIf you want to protect yourself better in the future, here are some tips that can help:

  • Use different passwords for each site you visit
  • Use complex passwords (mixture of upper & lower case, numbers, random characters that aren't in the dictionary, etc.)
  • Don't write your passwords down

The challenge with this is that it makes it nearly impossible to remember what password belongs to which site.  To make it easier, I recommend using a "password vault" that can generate complex passwords for you and then help you remember them.  The best ones are multi-platform, never store your data in an unencrypted form, and allow you to share your password data securely across multiple devices.

I've tried quite a few of them and the one I like best is called "1Password."  It works on Mac, Windows, Android, iPhone, iPad, and I've been using it faithfully for a couple of years.  It stores an encrypted data file on your system (the makers of 1Password don't store your passwords on their own systems), and it easily shares your encrypted password data using Dropbox as the conduit.

1Password also has the ability to store other information such as credit card numbers, software license keys, and more.  It can also generate and stores secure passwords for you, which makes it easy to satisfy the tips I mention above.

If you want to take a more manual approach, there is a good "personal algorithm" method using Steve Gibson's "Password Haystacks" model, detailed on the Gibson Research Corp. site.  This is also a great educational site on how longer passwords offer exponentially more security.