Not too many people are going to get excited about the topic. However, almost all of us will have some important online accounts, not to mention network access and client database security, etc., for many business owners and employers. Here are a few guidelines:
- never, ever, enter any of your real passwords into an online password strength checker! That should be obvious but it’s amazing how often it needs to be pointed out!
- identify and prioritise your ‘serious’ online accounts from the dozens that most people have. For example, for myself I identified about seven, being banks, online password manager, online shopping including Amazon, home Internet router, personal website hosting service, cloud storage provider, mobile service provider, email service provider, etc. More on ‘serious’ online accounts below.
- if you have any trivial passwords on ‘serious’ online accounts, change them immediately to something more secure. See the Top 5 trivial passwords below. Pet names, spouse, lover, neighbourhood, holiday, car, employer names, etc, are also useless. Basically any proper noun or dictionary word just won’t cut it in terms of security.
- most of us need many more secure passwords than we can conceivably remember, so a plan is needed. A suggestion would be to have one complex, secure password or passphrase for an online password manager, and hammer that home in your brain until you never forget it. Mine is 19 characters long – uncrackable except maybe by quantum computing. Then use the password manager to file and use other passwords. Not perfect because no password manager is perfect. They are a time-consuming challenge to learn and use properly, most have shortcomings of one kind or another, some are plain rubbish, and with any password manager you have just one point of failure, but it’s a big improvement on weak passwords. However, each of us need to decide for ourselves what our password strategy will be.
- a fairly secure password needs to have at least 10 characters, mixed uppercase, lowercase, numbers and one or two special characters like % ^ etc. That makes it very difficult (but not impossible) for seriously powerful computers to crack. It’s scary the array of password cracking tools that are readily available and I will talk more about those at a later date.
- avoid using the same username and password for more than one serious online account. This is more easily achieved with an online password manager.
- do not log into ‘serious’ online accounts over public WiFi, such as in cafes, airports, public transport, co-working spaces, etc. Invisible snoopers that can capture login credentials may lurk!
- if you lose your laptop bear in mind a skilled hacker can access the file that stores login credentials automatically by your browser, if you use that browser feature, as most do. There are techniques that can be used to decipher these files, even if they are encrypted. We’ll talk more about dictionary attacks and rainbow tables another time.
Here are the Top 5 most used trivial passwords, which are about as good as no password at all:
- 123456
- 123456789
- qwerty
- password
- 111111
Have a look at this web page from CNN Business, it provides an interesting overview of trivial passwords, computer and password security.
Some of our online accounts matter, in the ‘serious’ sense, and some don’t. Each onto their own in terms of that judgement, but in general I would not regard social media as ‘serious’ accounts, though opinions might vary on that.
The ‘serious’ accounts probably hold more detailed personal information about us, more ‘marketable’ on the dark net. So if just your own account is compromised because someone got your login details, your personal information may be vulnerable. But, if the service provider’s client databases suffer a breach and data exfiltration, not all service providers hold client information in securely encrypted format, and your details may be exposed as one of thousands or millions of records. These could be put up for sale on the dark net or exposed publicly. For a disturbing example, Google the Ashley Madison data breach which occurred in 2015. If your password is secure it may help prevent the hackers deciphering your account and accessing your details in the event a service provider suffers a data breach.
Banks these days have pretty solid security on online accounts, such as User ID, PIN, minimum requirements on password length and complexity, two-factor authentication (usually via sms code or smartphone app) and so on. So if someone gets your User ID and password details, they would also need your 2-FA device before they could access your account. Nothing is 100% secure but this is currently as close as practicable in the real world.
Now is a good time to review where you are in terms of secure passwords and remediate where appropriate.