Internet Passwords for Normal People

Hello,

This blog post is a bit of a detour away from my normal ramblings on all things Wi-Fi. Today I’d like to talk a bit about Internet security and the importance of good passwords.

If you’re reading this then you’re on the Internet and this post probably applies to you!

Why do we need Internet passwords?

We all know why we need passwords don’t we? To stop our various Internet accounts from being hacked – Anything from your Facebook account to your online banking, with much in between – all require a password. It seems that every week i need to sign up for some new service with yet another login!

Everyone knows that you need a good password to stop you from getting hacked. Right?

But hacked by whom?

This is where things get interesting. Who exactly is it who is likely to be sitting there trying to crack our cleverly thought out password?

The answer to this question is, in fact:-
Your password is most likely to get hacked by a computer – not a person.

The line above is the most important line in this blog post.

It’s so important I think i need to say it again:-

Your password is most likely to get hacked by a computer – not a person.

What? Why? How am I going to get hacked by a computer?

These days, everyone is on the Internet and the personal data for the average person will not warrant someone targeting you personally to get access to your Facebook account. It’s not going to be someone installing a camera in your house to watch you type it in. It’s unlikely to be someone cracking your Wi-Fi. Instead, what happens is that hackers target websites and the servers that run them… and then steal all the usernames and passwords stored there.

Consider Yahoo! (just for example.) Yahoo! has millions of users and all these users have a ‘username’ and ‘password’. These are all stored on a bunch of servers owned by Yahoo! somewhere. What if Yahoo! servers were to get hacked and and a hacker got hold of this file? The hacker would potentially have the log-in details for everyone who used Yahoo!

Potentially Hacked? Isn’t my password going to be protected on the Server?

This is the bit where computers come in. Hopefully the hacked server did have the password protected – stored in an ‘encrypted’ form – that is, scrambled up (in what are called “hashes”) so it can’t be seen. But – without getting technical – i is still possible for another computer to go through every password in the list, in scrambled form and run ‘guesses’ on the scrambled forms until the password is found. Bing!

This type of attack uses a “dictionary” of passwords – a list of things to try, or simply tries every single combination of letters up to a certain number (say, 8 letters). The hacker installs this big “password dictionary” his computer and says “try all these different things on that list of stolen passwords.” He then goes to bed and wakes up the next day to find his computer looking smug – having identified 90% of the passwords. It probably found some of them in mere seconds.

These password dictionaries can hold literally millions of ‘words’ – and you can bet you that virtually everything you would consider a safe combination is on there:-

  • password is probably first
  • Password is probably second
  • Password1 might be third
  • And so on. Millions of them.

    So, you see, a password must be able to resist being hacked by a computer – that can perform squillions of password guesses every second.

    And I bet you your current password is in at least one hacker password dictionary right now.

    OK – Before we go any further – we need to carry on with our story – what could happen once a hacker has gotten hold of your username and password combination.

    But it gets worse.

    So, what happens now? Well, consider this, step by step:-

  • Maybe you had a Yahoo! account (again, just for example) and you’ve not used it for ages. They get hacked and a hacker manages to get access to all the usernames and passwords.
  • What if that username was your e-mail address?
  • The hacker tries that username and password combination on another account – say – your facebook account
  • What happens if you have used that same password for both Yahoo! and Facebook?
  • Boom. Your facebook has been hacked!
  • Suddenly, you start getting calls from friends asking “why have you unfriended me” or, more likely “why are you asking me for money on facebook”? You log in to find that someone has been going to every one of your friends, asking for money – pretending to be you.

    So this is why you should never re-use passwords – if you can re-use them – so can a hacker.

    So what can you do?

    Well, for mere mortals there are few good systems. Frankly I think the whole “need new log-in for everything” has gotten crazy – really crazy. I think I probably have at least 100. Every time i change energy supplier or car insurer i have to create and remember a new one! It’s just not feasible to try and remember lots and lots of different ones.

    Any suggestion I make below IS going to require some level of faff on your part to put into practice, but hopefully you can see from the example above how important it is. It’s happened to me – my Facebook got hacked after I re-used a password which was stored in a long forgotten internet forum somewhere. Luckily my Trusty Friends quickly got in touch to say “dude – looks like you’ve been hacked!”

    Recommendation

    So, let’s look at some of the things we can to help make sure we stay safe online.

    As a minimum

    You should use a password that a computer is unlikely to be able to guess. There is much geeky science to creating and using passwords. The advice here represents level of compromise – really you should have a passwords which are truly random – but this is likely to make itimpossible for you to remember -£HeCv5k*f^3B3!H for example.

    The things to know are:-

  • Most importantly it should be very long. The longer the better, as the longer it is the harder it is for a computer to guess. 16-20 letters is probably reasonable
  • After that, it should meet whatever criteria the website has set – eg, uppercase letters, special characters (eg, $^£%&£) etc.
  • It should be memorable!! There’s not point in having awesome passwords that you can’t remember.
  • One strategy is to think of a phrase or a journey or something and chain together a bunch of words to get the required length.

    So,

  • hillleftrightchurch might be a journey to work
  • allforoneandonefor!all might be a phrase you like – but edited just in case it ends up in a password dictionary
  • ireallyhatethesmelloftoast! might be another – based on something obscure about you
  • Some say you need to add lots of special characters but that just makes the things harder to remember and harder to type in – especially on a mobile device.

    But this does not solve the problem of trying to remember a whole bunch of passwords. So to help with this consider using a Password Manager.

    Password Managers

    A password manager is a program to store your passwords for websites in. This program you secure with a REALLY GOOD PASSWORD YOU REALLY REALLY HAVE NOT USED ELSEWHERE. There are a bunch of these out there.

    Examplese of these are:-

  • Dashlane
  • Keeper
  • Sticky Password
  • Keepass
  • 1password
  • Some of these allow you to store different types of notes as well as passwords; or to generate hard to crack passwords for you.

    Bare in mind that even these are not foolproof, and there is a risk that they too could get hacked. If you’re really worried about this then just use them to store hints to passwords – especially if you’ve used a system like the one above. “My thoughts on toast” might be enough to jog your memory.

    Register for haveibeenpwned (HIBP)

    Another thing you can do is register your e-mail address with a website called “Have I been Pwned” . This website runs a service which will inform you if a registered e-mail address get’s hacked. So you register, bob@bobcat.com. If bob@bobcat.com appears in a public list of hacked accounts then HIBP sends you an e-mail to let you know. You’ve a chance then to change your password and to make sure you change the password on any other accounts that use the same.

    It’s free (although the site creator does accept donations), and one e-mail I use has 4 separate entries in there- So it works.

    A special note for Parents

    If you’re a parent and you’re still reading this you might also just want to be aware of a relatively recent hack on VTECH, maker of childrens toys.

    The recent hack led VTECH to change their Terms and Conditions. As reported in the article they were change to include the following:-

    “You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorised parties.”

    Which i take to mean “we wash our hands of any responsibility”.Nice. Buyer beware.

    Submit a Comment

    Your email address will not be published. Required fields are marked *

    You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>