How To Keep Your Passwords Safe
As a front-end web developer, student of Googles Codepath course, and a tech connoisseur, I have learned a fair amount of useful data when it comes to password management and website security. All of us have been guilty of creating terrible passwords and just bad security decisions. Many of us keep our keys to the house under that super-secret doormat. Other yet, do not lock their car or house when they are out and about. Our passwords are just as prone to abuse. To be fair, passwords are an absolute nightmare to keep track of. I hope to put some of your nightmare at ease however. I will go over:
- Why care about your online passwords being stolen
- How to know if your passwords have been stolen
- How to manage your passwords in a safe and memorable way
- What to do when your passwords are stolen
According to one article, every week one million passwords are stolen. Of these passwords 81% could had been prevented simply by having a stronger password. Once these passwords are stolen it may well be over a year before knowledge of the compromise is obtained. While developers like me are responsible for following good security procedures like encrypting your data, keeping it private, and following best practices, we cannot anticipate and prevent every possible attack. Huge corporations such as Google, Microsoft, Yahoo, Facebook, and Capital One have had millions of accounts stolen despite their best prevention efforts. They can only do so much to protect someone who chose to use the password 1234. So yes, you undoubtedly have been affected by one of these breaches. I had my Yahoo account stolen.
But why does that even matter?
Why care about your online passwords being stolen
Many of your accounts you may wonder if it contains any data that you should really worry about. I mean, who cares if someone knows the password to my Youtube account right? What can they really do with that information? The key issues here are privacy, authenticity, and service. They may not have your credit card yet but they know what you are interested in, could impersonate your account and make it look like you are doing some rather evil research, or remove your account entirely.
Now that is fairly harmless compared to well…
What if you use that same password for your bank account? Many hackers will attempt to use stolen passwords or other data about you to get into more sensitive accounts.
What if one of your security questions asks for your birthday and you have it publicly available on the internet?
What if they use your email password to log in and verify two factor authentication in your place.
They are interested in this data because they could steal money, use your private information to fake being you such as for a survey or manipulating someone you know.
How to know if your passwords have been stolen
Many browsers have built in password managers. One such is Google’s password manager. If your passwords are stored here then you can take find it in: Google Account -> Security -> Password Manager -> Go to Password Checkup.
You can use haveibeenpwned.com to determine if your password, email, or phone number were stolen in a commonly known security breach.
If you have not already you should take the time to go correct all your passwords. It is worth it. It may not seem to have affected you negatively yet (it probably has you just are not aware of it) but it is better to take preventative measures now rather than having fires to put out later.
How to manage your passwords in a safe and memorable way
There are two best ways to go about managing your passwords and a plethora of bad ones. Lets name the bad ways first: writing down your password on paper or in a file, using the same password in more than one place, using a simple password, using common phrases, using personal information such as dates, giving out your password, or using stolen passwords.
Now that we all feel guilty for having done these, (I know I do) lets name the best practices so we can replace the baddies.
The easiest way to go is to use a password manager. There are many out there and they are not all created equal but have fairly reasonable security measures in place. While this does provide one place for hackers to attempt to get access to all your login data it also means you only have to remember one password. Every other password can be as long and complex as you wish and it will be stored and autocompleted for you. Some you can keep offline others allow for mobile and desktop access. I leave the research and details of that up to you.
If you do not feel comfortable using a password manager you may consider using a long string of unrelated words such as batwhistledancesundaysausages. These words mean nothing to other people but form a sentence that is memorable to you. These words make brute forcing it almost impossible. Try to use words not commonly used. For a list of words not to use see rockyou.txt.
I don’t want you to go out there and create a password you will not remember. We all have done it and it gets frustrating quick. There is a balance between security and useability. These two methods of using a long string of unrelated words and password managers are meant to simplify this process for you so find something that suits your needs.
Another great tool to use is two factor authentication. Many websites allow for you to use an app or email to identify yourself. These have additional benifit to security because most people keep their phones on them and quickly realize when they do not have them.
Never give your passwords away to anyone who you cannot validate their identity.
What to do when your passwords are stolen
Let your friends know of the breach so that they are not fooled by someone pretending to be you on your account.
Update your password and make sure that you do not reuse that password anywhere else.
Inform the relevant institution so they can watch for suspicious activity on your account.
For more information on security go research these topics on whatever is most relevant to you:
(2) How Hackers Really Crack Your Passwords — YouTube
(2) Password Cracking — Computerphile — YouTube
- Social Engineering
- Cross Site Scripting
- Free online hacking tools
- Rainbow table
- Dictionary attack
- OWASP Top security vulnerabilities