We have to talk about passwords.
We’re going to start exactly where you expect: with a lecture about your sloppy habits, as if you’re a kid who’s about to be sent to the corner. I can’t avoid giving this lecture. It’s my job as a parent. You know you need it.
Look, I’m sorry, I wish I didn’t have to have this talk, but your passwords are crucially important. They are your defense against identity theft, financial loss, compromised computers, and breaches of confidentiality and privilege.
What’s that? You hate dealing with passwords? Of course you do! Everyone hates dealing with passwords. They’re annoying and difficult to remember. Neuroscience research shows that the human brain does not perform well at free-associating text that has no inherent meaning.
If it’s any comfort, you should know that the entire tech industry is aware that our dependence on passwords is a train wreck, one that has been in progress for years and continues to spread destruction along the tracks. Lots of companies are trying to figure out how to eliminate passwords and still keep us secure. Microsoft, for example, just announced rather vague plans to combine a fingerprint or a PIN with a number from an authenticator app to create a secure login without a password. Our phones have a variety of authentication options – fingerprint readers, facial recognition, iris scanners – that may play a role someday. Perhaps we can have a different discussion in 2019 or 2020.
That’s in the future. We don’t live in the future. As of today, passwords are still the only effective way to keep your accounts and your data secure. Yes, they require hard work, but we’re stuck with them. I’ve helped clients clean up from three email hacks in the last week alone, so I can tell you with confidence: it’s easier to learn good password habits than it is to suffer the consequences of a hack.
Today I’ll tell you scary password stories, kind of like showing video of car accidents to high school driving classes. But keep reading anyway – there are tips below that might help improve your security.
In another article we’ll talk about password managers like LastPass, and the pros and cons of storing passwords in Google Chrome.
Finally, I’ll see if I can explain two factor authentication in a few hundred words. I’m not optimistic but I’ll give it a try.
The obligatory password lecture
You have two goals. (1) Don’t use an easy password that can be cracked. (2) Don’t re-use a password. If you use a weak password, or if you use the same password over and over every time something calls for one, you are putting yourself and your business at risk.
Use a different password for every site. If you’ve used the same password in more than one place, change your passwords. When the bad guys steal a password, they immediately test it on other sites in case you used the same one somewhere else.
If your password is a dictionary word that you’ve cleverly disguised by starting it with an upper case letter and ending it with an exclamation point, change your password. The tools used by the bad guys to crack passwords start with the entire dictionary and now easily also test simple variations on dictionary words.
If you’ve obscured a dictionary word by substituting lookalike numbers for letters – “Pa55w0rd,” “Thr33” – change your password. The bad guys have built that into their hacking algorithms.
If any of your passwords is your pet’s name or your spouse’s name or a child’s name, change your password. The bad guys are starting to do targeted attacks and might well collect information about you from social media.
Do not type your password into a website unless you are 100% confident that it is a legitimate website. We are being assaulted with a deluge of phishing email messages. You have to be paranoid so you don’t accidentally give away your passwords.
Do not store passwords in Outlook. Your mailbox is one of the most likely accounts to be hacked.
How do the bad guys get our passwords?
The bad guys might be highly sophisticated criminals in organized rings overseas, or they might be bored teenagers looking up hacking tools on Reddit for lolz. Where do they get our passwords?
• Our passwords might be cracked by brute force. The bad guys have increasingly sophisticated tools to test random passwords until something works. That’s why dictionary words are a bad idea, even when lightly disguised or dressed up with a punctuation mark or with a “3” in place of an “E.”
• Our passwords might be leaked in a hack of a government agency or large company. For many years, large companies and governments have been storing information in poorly secured databases. Your information has leaked out during all the hacks you’ve read about in the last few years: Equifax, Yahoo, credit card processors, Sony Playstation, health insurers, Adobe, and many more. Frequently the leaked information includes the password for the hacked account, which the bad guys then can test to see if you used the same password elsewhere.
• We might be fooled by a phishing message that tricks us into typing our password in a phony website that mimics something trusted or familiar. The bad guys can then use that password to compromise the account they were imitating – your mailbox, say – as well as testing the password on other sites in case you used the same one.
There are a couple of other ways that aren’t as prevalent – conning a company’s customer support department or installing a keylogger to collect keystrokes on your computer.
Helpful and interesting password tips
The most important thing you can do: Use LastPass, Chrome, or another password manager. Generate complex passwords and trust the password manager to remember them for you. We’ll talk about that in the next article.
For now, let’s assume you’re writing your passwords down in a notebook stored in your desk drawer. There’s a bit of a security issue there, but it’s a start. In that case, try these tips.
• Create unique passwords that you can remember
• Use spaces in your password
• Never type a useful password hint
• Never answer a security question directly
Create unique passwords that you can remember
If you’re not using LastPass, realistically there’s no way you’re going to create complex passwords (the ones that look like brKcV3apY9 or worse) for every web site. If you’re like most people, you use the same password all over the web.
Let me suggest a simple trick – not foolproof but it will help.
Create a complex password that you can remember. It will be at the heart of your new passwords. Say your standard password is Sword#fish415!
Add the first letter of the web site to the beginning and the last letter to the end. Example:
• Apple: ASword#fish415!e
• Google: GSword#fish415!e
• Amazon: ASword#fish415!n
See how it goes? Each one is unique but you can remember how it’s done.
Invent your own pattern. Use the first two letters of the website at the beginning and the end (ApSword#fish415!Ap, GoSword#fish415!Go). Add a punctuation mark in the same place in each one (A%Sword#fish415!e, G%Sword#fish415!e). It doesn’t matter what the pattern is as long as each password turns out to be different and you can remember how you did it.
Use spaces in your password
You can put a space in your password at almost every web site. Put two or three words together with spaces and you’ve made it far more difficult for a hacker to crack it by brute force. Bugblatter Beast! is a better password than Hitchhiker!
(According to The Hitchhiker’s Guide To The Galaxy: “The Ravenous Bugblatter Beast of Traal is a rather large creature that likes to eat things. It is so mind-bogglingly stupid that it thinks that if you can’t see it, it can’t see you. Therefore, the best defense against a Bugblatter Beast is to wrap a towel around your head.”)
Never type a useful password hint
If you are asked to type in a password hint as part of the process of setting up an account, never ever type something that would allow the password to be guessed. Don’t try to be clever. If you need that hint to remember a password, then you’ve chosen a weak password; you don’t need a hint, you need a better system to manage your passwords.
The best password hint: “Look in LastPass.” (Not a good password hint: “Look in the notebook in the top drawer.”)
Never answer a security question directly
Many online accounts include security questions that are used to authenticate you if your password needs to be reset. The answer does not have to match the question. Think of something that you will use as your security answers going forward – words that you will remember but that no one will guess that you chose. Use those words to answer security questions consistently, with the same capitalization and spelling every time. First pet? “Inigo Montoya”. Mother’s maiden name? “Buttercup”. Street you grew up on? “Fire Swamp”. Elementary school? “Cliffs of Insanity”.
No one is fact-checking those answers. When you call in to reset your password, the tech support rep types in what you say to see if it matches. The rep doesn’t care if it makes sense. The only crucial thing is that you have to remember what you chose. Make a note of it in LastPass.
Be careful out there!