Chances are that you or someone you know has had an account hacked. But do you know how the cyber attacker broke through? In order to truly understand how to protect yourself, you need to understand how personal security breaches occur.
In the movies, cyber attackers shuffle through papers and photos for clues, guessing passwords until they pick the right combination and are granted access.
That is not how it happens in real life.
Cyber attackers use tools to automate the process, then conduct mass attacks across the Internet. These tools use dictionaries, lists of common words or passwords, and then try each one in succession. The name of your dog and birthday don’t come into play during an automated attack, and therefore don’t matter.
Yet there are steps you can take to help keep your accounts from being breached. Follow these eight steps to create strong passwords and protect your accounts:
1. The longer the password, the better.
This is the most effective solution to strengthening your accounts. Unfortunately, this is also one of the most commonly limiting factors as many sites don’t support long enough passwords. This could be because site designers don't properly understand password security, or they are limited by some back-end systems. Many sites require at least one number, letter and special character, then limit the length to 8 characters. A better password is something that is more than a word or two words combined together, or ideally a sentence that is at least 15 characters in length. You can easily start better protection today by updating simple passwords to a longer passphrase. This becomes harder to crack for automated tools because the combination of characters has increased greatly. But in the event that a longer password is something simple, it could still present a problem.
2. Stay away from “password” and “123456.”
SplashData recently published their findings for the top 25 worst Passwords of 2013 based on the password breaches that occurred over the year. In a small twist, "123456" has taken the number one spot away from "password." If your password is on this list, it would be best to update it to a more secure password immediately.
3. Don’t use the same password across multiple sites.
A big concern many users have is trying to remember a different password for all of their applications or web sites. This usually leads to re-using passwords across multiple sites, which is a bad practice as it makes your accounts easier to breach. Vary passwords across site logins to strengthen account security.
4. Don’t use the same username across multiple sites.
Many sites don’t even consider a username as sensitive information, but it is a necessary component to successfully break into an account. Vary your username with your site logins to build further armor against attackers. For sites that require the user to login with an email address as their username, it can be possible to set up different email aliases to vary the username per site. It is common for many banking sites to allow the creation of a username that isn’t an email address. We recommend creating specific usernames for these accounts that don’t overlap with other accounts.
5. Use a password manager.
A password manager is an application that helps manage your passwords and login info for your site memberships, as well as secret security questions for the “forgot password” screen. Many of them allow syncing between devices, and storing all the data on their servers on the Internet. Carefully research the different password managers before choosing one. Have there been any issues with the password manager safely storing passwords both locally and on the Internet? Properly implemented password managers are safer to use when saving to the Internet. While I don’t endorse any specific Password Manager, I personally use SplashID from SplashData. There are many other ones out there like LastPass and Security Everywhere. The key is finding a password manager that aligns with your devices and specific needs.
6. Know that swapping numbers and characters for letters doesn’t help.
Another common belief is that substituting numbers or symbols for letters in words will make accounts more difficult to crack. Since attackers use sophisticated automated tools to hack accounts, the systems are able to swap potential characters. When password length is limited, rather than trying to use common words that use substitution, try to choose values that do not sound like words, or look like anything that would be found in a dictionary (t1i2m3e4 is not as strong as Gu83fv1Z). Another option is to create a sentence you will remember, then use the first letter of every word in the sentence. It is also good to keep up with common passwords being used so you stay away from those as well.
7. Enable multi-factor authentication where possible.
Many sites now offer multi-factor authentication. A great example is the Google Authenticator App, where you enter your normal login information, then a unique code that changes every minute. The code is delivered via the Google Authenticator App installed on your mobile device. Gmail, Wordpress and Dreamhost offer the Google Authenticator App. This additional security feature does not mean you can choose weaker passwords, but is an extra line of defense if passwords are stolen.
8. If your account is hacked, change the password immediately.
It is often difficult to know your account has been hacked until something alerts you. For example, your contacts may start receiving malicious emails from your email account, or when you try to log in you find the password has been changed. Some systems will show you a login history, including the IP address, so you can verify no one else has logged into your account. If you discover that you have had a password compromised, immediately change the password to stop any attackers from accessing that account.