Passwords and their security

How many asterisks are your password?

Facebook site of the teenage daughter of a friend got hacked and it was flooded by porn pictures and then it was shared everywhere across the net. This gave me the idea to write about the security of our passwords.

A Top25-ös listáért katt a képre!

A Top25-ös listáért katt a képre!

At the end of 2013 there were articles about the observation that the dumbest and easier to remmber – but thus also the easiest to break passwords are still the most popular among people. I would rather not spend an extra paragraph for it but I have to tell you: you should use unique and hard to decifer passwords!

Update: On March 31 in 2016. news appeared about a Gmail data breach involving lots of   Hungarians. It shows how important it is to have different passwords for the different sites/services. At least such high importance sites should have their unique password in your life like your Gmail, Facebook, PayPal and other banking accounts. And of course it is also important to change them regularly considering the suggestions of the list below. This way data thieves can only get outdated and useless informations instead of valuable and sensitive information.

Change your password NOW!

    It is almost irrelevant how long ago you changed your password. By the time you read this article at least a part of your passwords will be a week or more older. It is strongly advised to change them now instead of any delay!

It may not be new to you, but I hope you find some value in it. Some people skip these tips when they are presented on some of the websites during the registration or when the IT guys of the company force us to reset passwords. Despite the hardships it is a good advice. Our passwords are protecting more and more of our valuable data each day on our computers, smartphones and tablets just as much as in the cloud services or other networks.

When your passwords get hacked it can cause serious harm to your data security. I collected some basic rules of using our passwords. Believe me it is worth to follow at least some, but even better to follow all of them.

Basic rules of passwords:

  1. Don’t use personal info as your password (name, birthday, spouse, pet, etc excluded)
  2. Don’t use repeating or continous numbers  nor one neither the other direction
  3. Let it be rather long – at least 8 characters
  4. Use letters and digits mixed
  5. Mix some capitals in random places
  6. Use different passwords for each site/Service (whenever possible try to use varying user names as well!)
  7. Change your passwords quarterly or even more regularly
  8. Rarely (or rather never) reuse a once already used password again
  9. Never log into your accounts from an unknown public computer (school, malls, hotels and press centres included)
  10. If you need to do it, don’t forget to log out of the service before leaving the computer
  11. On an unknown network (pl. free wifi) your data isn’t safe on your own computer
  12. If you had to sign in at a foreign place, you should reset your passwords the next time you can access your own computer
  13. Log out or lock your computer when you leave it unattended (especially at public places like cafes, offices, school or a press centre)
  14. Use login passwords or at least a keypad lock for computers, phones, tablets
  15. If you write memos for your passwords on paper never keep it next to the device it unlocks
  16. Never write down your password in it’s original form! Always use some trick to protect it from others (change up characters, add extra characters)
  17. When you read articles about companies getting hacked and user data being stolen, you are advised to reset ALL of your passwords. (Even when the companies involved have no connection to you. It never hurts to reset your password more often – contrary to the risks of too rare password resets.)

Jelszó generálás precízen

Generating passwords
Lots of apps offer you autommatic generation of passwords. There are even standalone programs for this sole purpose, but there are such features built in to many porgrammes and online services. Most of them usually allow you to set up the length and complication level of the password. Generating of the passwords this way is much easier and their security level is much higher. Remembering them however can be almost as hard as deciphering them.

Remembering your passwords
Like the first items on the list say the passwords should not be easily to decipher. But a hard to guess password is hard to remember. Especially when you use lots of different passwords and you also change them often as suggested. What can you do to remember your passwords? One thing that can help is to think in quotes. Not the best idea to stick to the most famous quote of Robert Capa or any other photographer especially if you quote it on your website or Facebook too.
It is better to use these quotes to change letter cases here and there. Some letters should be replaced by numbers to make it harder to decode or guess for others. Of course you should remember the system in which you change things in the quotes. You can use numbers similarly shaped to the letters. For example use 1 for letter i and l, 9 for g and 0 for o. Of course you can use any other system of your choice that you can remember more easily.

Taking notes of passwords
It is worth to use similar coding when you make notes of your passwords for yourself. For example you can only remember where to change letters to numbers in the actual password but skip noting them exactly as they should be used. This way not even one reading the notes can break into your account. Or you can add extra letters either in the password or the note that don’t really need to be used that way.
The most important is not to keep your password notes on or next to the devices you use them with. For example never stick a note of your PIN code onto the bank card you use it for. Not even keep them together in your wallet – this could help thieves to access your money really easily and it makes the PIN code totally pointless. Also never attach the address of a door onto the key opened by it. These failures can lead to terrible losses.

Applications to store passwords
There are a plethora of applications for solving everyday problems. Remembering passwords is no different in this regard. Password management apps store all your passwords in one place and they also store them encrypted. Some of them can make the login itself much easier and you have to remember only the one master password of the application instead of all the accounts you use around the web.
It is important to know of course these apps also have a level of security risk. Keeping all your passwords in one place also increases the risk of someone getting into this app can get all of your passwords in one place – and probably a lot more other data stored in different systems.

On the other hand such applications mean still smaller risk than using the same password everywhere. Choosing the right password management app is of course an important decision. It is best to look around carefully which one IT security specialist consider the best option and how to use them wisely.

Biometric identifiers
There are a growing number of people who consider traditional character sequences not enough protection for our sensitive data. This thought is detailed by Matt Honan in the article of Wired too. He thinks only fingerprints, iris patterns, face recognition and other similar biometric identifiers can be secure enough. Using them on a really wide scale needs some time however. Until then keep your passwords safe!

Two factor authentication
More and more websites and services offer two factor authentication to avoid the chances of your user name and password getting compromised. These solutions require an additional and quickly outdated data to be entered in addition. Big company systems provide a special device that gives the code to be entered. A more common solution is the system sends you a code in SMS to be entered upon login. This code cannot be used more than once, doesn’t work without your login data and expires within a few minutes so it gives a quite great level of security. This way even if your login data is compromised hackers still cannot access your account without getting hold of your mobile phone too.

Social authentication
Facebook (and perhaps other sites too) started developing a system of close friends you can set up to validate your access to your account in case of any problem. This way a group of your friends can validate the system yes it is you who wants to log into your account upon a lost password or any other suspicious activity.

Be careful with the links received in emails!
Whenever there is a chance for it you should not click on links received in emails. If you really need to do it, it is worth checking what address that link redirects to and check it if it really belongs to the company or site you want to log into.
It is best to go to the website by typing it’s address into the browser or use your already existing and bookmarks in use just like any time else. After login you will probably see the same information you got the email about. Even if you don’t see it there it is still much better to log into the account first and only click the link in the email after that – thus you won’t be required to log in as you are already logged in. If you are asked to log in again you can be suspicious whether you are facing a phishing attempt.
Frauds usually use the simplest tricks to get the most information from you. It is a common trick (just like with sending fake invoices with the mail in hope to get paid without checking what they are for) to send emails with the branding of banks, phone companies or any other website that uses the same colors, logos and appearance to make you log in without thinking whether it is really from the given company or not. The link in the email leads you to a website that appears to be almost the same the one you usually use. Even it’s address may be quite similar – just a bit different. When you try to log in they get your user name and password then they redirect you to the original site and all you see is you are required to log in again – by the time the hackers already got your login data and can use it against you any time.

Take care and keep your passwords secure, use two factor authentication whenever possible!

Related scene from the Space Balls movie:

Error thrown

Cannot unset string offsets