Please note, safety of passwords is constantly changing. This old post addresses several key ideas, but now it is generally believed a password should be at least 13 characters. No doubt that view will change again. – update on 2/1/2013.
Often when people think of the Internet they see it as very different from the real world. For example, if someone broke into your home you would change your locks, right? And you wouldn’t just change one lock, you would change them all. In addition, you probably have several locks. A regular lock and a deadbolt. I imagine in addition to having several locks at home, you have different locks at your office and in your car. You don’t use one key for everything.
The problem on the Internet is that most of us are running around without a deadbolt and we use the same key all over the place. We choose simple passwords, for example our birth date, or our dog’s name, and we use that same password across the Web; or we simply use two or three different passwords throughout the Internet.
Setting a Strong Password
The first thing you need to do is set a strong password. A strong password is one that is a mixture of letters and numbers, and, if the site allows, special characters. For example, instead of using the word password, you would use p@55w0rd. It is actually even better to use random letters, numbers and symbols because hackers are getting very good at hacking into passwords like p@55w0rd
Setting a strong password doesn’t solve all of our problems though. First, if you use the same password throughout the Internet and a site is compromised, now all of your accounts are compromised. Recently there were two popular sites that were hacked, resulting in over 10 million people having to reset passwords throughout the Web, and leaving credit card, bank, email, and numerous other accounts vulnerable until the passwords were changed. The first instance is a popular site called Gizmodo. The second a popular app and site called Trapster.
How Do You Remember This Stuff?
I don’t know about you, but I have serious trouble remembering passwords. Especially when I have to remember a bunch of passwords. This leaves me in a difficult situation. I am supposed to have a different password for every site, which already causes me memory issues, and those passwords are supposed to be difficult to guess, meaning even more difficult to remember.
Fortunately, there is a solution to this problem. The solution is called a password manager. These password managers allow you to create one really hard to guess/hack password, and enable you to store the passwords themselves in a secure, encrypted location. The best password managers will actually generate the passwords for you. I personally use a service called 1password which I have found works well for me. There are numerous password managers, so take a look and see what works for you.
So now your accounts are secure and the article is done, right? Well, I am still typing, so, alas no, our accounts still aren’t secure.
You Forgot Your Password – So Did the Thief
You have done everything you are supposed to do. Your password is so hard to guess the FBI couldn’t figure it out. Every single site, even the most simple site, has its own password. But now we have to deal with something called the password reset.
If you look at virtually any Website you will see an option that reads something like “forgot your password, click here.” And when you click there, the site will either send the password to the email account you used to register with the site or will ask you one or two questions that you set up when you signed up for the account.
The weakness here is twofold. If your email account has been hacked, now the person has control of all of your accounts. If your email account hasn’t been hacked, but the questions have easy answers, now the hacker can easily gain control of your Website account. Many online email accounts have the same weakness. You click on a link, the site asks you a couple of questions, answer them correctly and bam, you are in.
You are probably thinking, well so what. How will someone guess the answers to my questions? Well, the questions normally have something to do with you. What is your maiden name? What was the name of your first dog? What is your birthday. A lot of the answers to these questions can easily be found online.
For example, a young man who apparently has way too much time on his hands searched through the Facebook accounts of young women, found a lot of personal information and used that information to answer the questions necessary to reset email account passwords. He then searched through the email accounts, found nude pictures (why do people keep nude pictures in their email accounts?) and sent the pictures to everyone in the victims’ address books. Very embarrassing for the victims. Imagine however if the information that was stolen was client information. Next thing you know you are on the phone to your malpractice carrier and you have to take on the professionally disastrous step of telling your clients you didn’t keep their information secure.
What to Do?
Lie. That’s right, lie. Make up answers to the questions. Your first dog was named Scrappers? Fine, put instead that your first dog was named telephone. In other words, you are literally creating a second set of passwords for your accounts. Items that no hacker will ever guess, have nothing to do with you, and won’t be found anywhere on the Web if someone should do a search on you.
Conclusion
Website security is crucial. But it is also a two step process. You need to have secure and different passwords throughout the Web and you also need to make sure you have impossible to guess password reset questions. Then, when you get warned that one of your favorite sites has been hacked, quickly act to change your password on that site.
Seems like a pain, I know. But it is a lot less difficult than having to change your credit card or bank information, and definitely less harmful than having to notify your clients and insurance carrier that you didn’t keep the data secure.