Surf Securely: Passwords

Welcome to the first installment of Surf Securely, a multi-part security guide created by Canary. We developed this guide because when it comes to protecting yourself, it’s easier for most people to pinpoint physical risks than digital ones.

We’re happy to share our experience and insight about how to best protect yourself online and avoid some common digital pitfalls. The first step in protecting yourself online is to understand common techniques used by hackers and people who want to exploit your private information. Today, we’ll start with passwords.

Password Cracking

Passwords are the key to your digital security. By picking strong passwords, you minimize the chance that someone can hack your account, and you may even be able to reduce your risk if an online service you use has a security breach.

Thieves crack passwords to access your systems, accounts, or devices without your knowledge or permission. They may often try a simple brute-force approach: plugging in different passwords until they figure out the right one. They may also try resetting by responding to “lost password” security questions—your mother’s maiden name, for instance—and pulling correct answers from Google searches or social media profiles. Fortunately, many secure sites will lock users out after a few failed password attempts (or will alert you that someone’s trying to log in to your account), so you’ve got some resources that may help you catch a hacker in the act. Still, it’s a good idea to be proactive with your password security.

Create a strong password

Ideally, your password is a completely random mixture of lowercase and uppercase letters, numbers, and special characters, like TiR%&2hLtB72. A password manager can help you generate and keep track of passwords like these. (See “Use a password manager” below.) However, if you’re creating a password on your own, use these suggestions to make it harder to crack:

• Your password should not contain complete words; a password like “chocolate25” could be strengthened by breaking up the word with numbers or special characters, resulting a password like “choc25olate.”
• Your passwords should be at least eight characters long, but preferably 12 characters or longer.

• Spell words backwards. For example, use “etalocohc” instead of “chocolate.”
• Substitute numbers or special characters for letters. In this case, “chocolate” becomes “ch0c0l@t3.” (This method of spelling is known as leetspeak.)
• Use an acronym to remember your password. For instance, “It was the best of times, it was the worst of times” would become “iwtbotiwtwot.”

What not to do

It’s easy to get tripped up by a few common password pitfalls. Keep yourself safe with these tips:

• Avoid using any full word that appears in the dictionary.
• Skip using details that can be traced by to you, including names of relatives, children, pets, sports teams, and cities you’ve lived in.
• Numbers and dates including birthdays, anniversaries, graduations, social security numbers, and license plate numbers don’t make the cut.
• Stay away from using numbers or letters in the order that they appear on a keyboard like “12345” or “asdf.” (They’re some of the first things hackers try.)

Never use the same password for different accounts

Vary up your passwords, and try not to use the same one (or a similar one) on multiple accounts. Why not? Imagine if you used “apples” as your password for every account. If the login credentials to any of the sites or services you use are hacked, the person with that information now has access to ALL of your accounts. Don’t make it that easy for hackers!

You may be tempted to get around this by changing the password slightly for each account (e.g. “chocolate1” for Facebook and “chocolate2” for your Gmail account). Unfortunately, hackers write programs to check for variations like this, so similarities like these will put you at a disadvantage.

Use a password manager

Simplify the experience of creating and remembering all of your strong and unique passwords by using a password manager like LastPass or 1Password. These browser plugins will securely store all of your login credentials and can also generate very strong, randomized passwords for you to use.

Be smart: don’t use your browser’s password manager, and decline if your browser asks you something like, “Do you want Firefox to remember this password?”  Browsers’ internal password managers store your passwords on your computer, which means that anyone with access to your computer could potentially obtain those passwords. Third-party password managers, however, encrypt your data and store it securely in the cloud.

Be careful when answering password recovery questions

If you forget your password to an account, the system may ask you some questions to confirm that you are who you say you are before they let you reset your password. This is good because it allows you to regain access to accounts even if you forget your login credentials. However, these same questions can be used by hackers to gain unauthorized access to your account.

Instead of using default security questions, make up your own questions, or opt out of questions if the answer can easily be found on Google. (It can be surprisingly easy to find personal details like your father’s middle name, your mother’s maiden name, the town you were born in, or the name of your first pet online.) If you choose to go with preset questions, use a random answer like “I love hotdogs” to make routine security questions like “What is your first address?” more secure. Store this random answer in the notes section of your password manager so you can reference it in the future if you need to.

Use two-factor authentication if possible

Two-factor authentication makes your account more secure. The basic idea is that to login to your account, you need to verify your identity in two different ways: 1) by entering your password, and 2) by entering a randomly generated code that’s sent to your cell phone. Your password stays the same, but the code that gets sent to your phone is always different. This added layer of security ensures that if someone cracks your password, they still won’t be able to access your account unless they also have your phone.

TwoFactorAuth.org is a comprehensive list of popular websites that offer two-factor authentication. Most sites don’t enable two-factor authentication by default, but it’s easy to activate it in your account settings.

Bringing it all together

We hope you never have to deal with password hackers, and by creating robust passwords, having an entirely new password for each account or system, using an encrypted password manager, and two-factor authentication, and staying smart about account recovery questions, you can strongly reduce your chances of getting hacked.

Have any password tips? Share them in the comments!