Member preview

Username/Password Basics

How many online accounts do you have? Think about it. REALLY think about it. Do you know for sure everywhere you’ve ever created an account and have entrusted someone with your data?

In this article, I’m going to go over some basic concepts about accounts and passwords that I believe you should be familiar with before attempting to organize all of your accounts.

Concept #1 — Passwords suck. 
This may seem like a bold proclamation or extremely hot-take, but it really isn’t. Passwords really do suck. Humans are not great at remembering things, so it’s only natural for us to look for shortcuts. For passwords, we use keyboard patterns (do any of you use ‘qazwsx123!@#’ as a password?) and use phrases and sequences that are easy for us to remember (birthdays, addresses, etc.). We typically create passwords that are JUST long enough to get past the minimum requirements a website requires, and then reuse that password for multiple websites/services. These can sometimes be guessed or cracked if they are not complex.

Concept #2 — Security Questions are (somehow) even worse.
Have you ever felt secure knowing that even if an attacker guessed your username and password, they wouldn’t be able to get to your accounts because your bank asks a security question? Unless you made up your answer, you shouldn’t feel safe. Some of the questions that are commonly asked would be easy to find via an online search or by guessing.

For example, how many of you have “the name of your highschool” in your Facebook page? Is your “mother’s maiden name” listed in her Facebook page, or can it be found on a graduation class Facebook page? The question asking for your “favorite color” could probably be guessed in 4–5 guesses (unless you’re one of those ‘firetruck red’ or ‘seafoam green’ fans).

Concept #3 — Reusing passwords across different websites is a huge mistake.
Being human, we sometimes take the easy way out when creating accounts. Your Twitter account may share a password with your email and banking accounts. But if Twitter becomes the victim of a hack and user information is stolen, one of the first thing an attacker can do is attempt to use your username+password combination on other popular sites (Gmail, Facebook, financial institutions, etc.), where they can then attempt to steal your personal data like photographs, private conversations, bank account numbers. That information can then either be posted somewhere or used as leverage against you for something else.

Concept #4 — Really Consider using a Password Manager*
I fought like hell against using a Password Manager for years until the good folks on the ‘Security Now’ podcast got me to use LastPass. The problem with Password Managers is that you really need to plan it out, because if you get locked out of your Password Manager, you’ll have a difficult time getting back in (which is kind of good, as you don’t want anyone besides you in there anyway!).

The idea behind Password Managers are that you only need to remember one *strong* password forever. Seriously. Upon creating a LastPass account, a ‘vault’ is established, where it will encrypt and store all of your username/passwords for every website that you add. The beauty behind this is that you can now create extremely long, complex passwords that are unique to each website, and you never have to remember it! Using LastPass as a web browser extension, it will know when you browse to a saved website, and ask to automatically fill in your information.

LastPass Vault

I have LastPass as an extension in my web browsers, as a smartphone app, and can also access my information from anywhere by browsing to LastPass’s website. Each of the 30+ websites I have accounts with have a long complex password with over 20-characters, and I only need to remember the password to LastPass.

*Please use caution when using a Password Manager. If you forget that password, you may not be able to retrieve your data.

Concept #5 — Multifactor Authentication is (typically) good*.
Currently, there are three possible ‘factors’ used for account/password creation:

  1. Something you know — Username, password, security questions, or PIN you are capable of remembering.
  2. Something you have — A token device (smartphone app, physical token device, physical key, etc.) that generates a secondary code, often on a time-basis.
  3. Something you are — Biometrics. This could be a fingerprint, iris scan, or voice recognition.

Multifactor Authentication (MFA) is a concept in which you combine two or more of the above three categories. This ensures that even if an attacker obtained your username and password, it would be extremely difficult to access your account without having something you have or something you are.

I could write an entire article about MFA and why it is so great, and perhaps I will at a later date. If you’re using a service that offers MFA, take advantage of this! Amazon, Facebook, Twitter, Google, and many financial services all offer MFA!

*If possible, use a physical key or a smartphone authenticator over text messaging (SMS). In recent years, the National Institute of Science and Technology (NIST) has modified their guidelines for authentication in favor of moving away from SMS due to vulnerabilities.

Conclusion

Consider becoming familiar with account best practices. Online breaches are becoming more common, and your data could be at risk. These are just a few of the concepts I consider to be the most critical when thinking about account security. In the future, I’ll write an article that demonstrates how passwords can be cracked and used against you without your knowledge or consent.

Please use caution when following the above suggestions, because I do not take responsibility for anything that may go wrong.

Feel free to provide feedback, suggestions, or hate mail — daniel.battisto(at)protonmail(dot)com