How to Manage Your Credentials Like an Expert in 8 Easy-to-Follow Steps
Just like a nagging mother, security experts always remind you that you’re most likely not managing your passwords properly. And just like your mother’s advice, you know they’re right, but don’t have the time or patience to put their recommendations into practice.
It’s difficult to change habits when it comes to your online routine, especially when it comes to something as mundane as passwords. But the thing is, cyber security experts aren’t going on and on about passwords because they like don’t have anything better to do. Let me put it this way:
- Weak passwords accounted for 31% of security breaches in 2013
- 55% of Internet users use the same password for most, if not all, websites
- Cyber criminals’ usage of brute-force login attempts increased 3 time in 2013 and they collected almost 9 billion credentials (username & password) as a result of these attacks
- The top 5 passwords used are: 123456, 123456789, 1234, password and 12345678 (according to this study)
- Combined, the 15 most used passwords make up for 3% of the total amounts of passwords analyzed in this study — now, just how difficult do you think it is to break those? Exactly!
We could go on with statistics such as these for a while, but that is not the point here (and, if you’re interested, you can check out this business password analysis). The point is to give you a hassle-free method to manage your passwords safely and conveniently. You may need to invest some time, but it’s better to do so than regret later.
Here’s what I mean by that:
The 7 deadly sins of password management
1. You shall not keep your passwords in a text file, spreadsheet, plain text or a similar, unprotected document. Why? Because it might get stolen, corrupted, deleted or, worse, retrieved by cyber criminals.
2. You shall not use the default password sent to you by a service provider.
3. You shall not use one of the shamefully weak passwords listed in this top 15:
4. You shall not use words that can be found in a dictionary or that are common phrases.
5. You shall not use passwords that include your birth date or other information that’s easily available online.
6. You shall not use the same password without changing it for a long period of time.
7. You shall not use the same password twice. This is a big one! Seriously.
Now that you know what to avoid, let’s see how you can implement a better system that, once in place, can protect you from cyber criminals. Remember: they have aaaaall daaaaay long to crack your passwords and they use advanced algorithms that can “try tens of millions of possible password combinations per second” (via Krebs on security). Are you sure you want to take your chances with those risks?
How cyber criminals try to break your passwords
But what are the risks, exactly?
Here are some of the methods that cyber criminals use to break your passwords and get access to your private information (banking account, social security number, confidential work documents, etc.):
Phishing — is a method that cyber criminals use to sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by posing as a trustworthy entity in emails or other means of electronic communication.
So if you ever receive an email that looks like this:
DON’T CLICK ON IT! Mark it as spam and make sure you never click on the links inside it.
Brute-force attacks — is a tactic used by cyber criminals to find your passwords. What they do is systematically check all possible keys or passwords until they find the right one. For this, they use algorithms that can try all of these combinations superfast. Your short, repetitive passwords are no match for them!
Database hacking — if a cyber criminal gains access to a company’s user database that contains the credentials of thousands or millions of customers, and you’re among one of those customers, then you could be exposed as well. Tenths of attacks such as these have made the headlines in the past two years, and they just seem to keep on coming.
Keylogging (also called keystroke logging) — is a method that cyber criminals use to record (or log) the keys struck on a keyboard in order to acquire confidential information about the user. This is usually done in a concealed manner, so that the person using the keyboard won’t know that their actions are being monitored. So if you’re typing your online banking account password into your computer, and there’s a keylogger installed in your system, the cyber criminals behind this attack will easily retrieve your credentials.
Social engineering — is one of the most commonly used methods of cyber hacking, which requires little to know technology and relies on psychological manipulation. The victim is persuaded to perform certain actions or divulge confidential information, among which are usually passwords to confidential data.
Of course, attacks using malware, such as man-in-the-middle attacks, malvertising, spyware, adware, etc., or different types of viruses can also endanger your passwords, as most cyber attacks also have a component that aims to capture your credentials.
A look at the 2014’s biggest data breaches will give you an idea about the impact and consequences of such an attack. No matter how big and secure a company might seem — and Google, eBay, Yahoo and Apple certainly fall into that category — there is still a chance that cyber criminals will find a way to infiltrate.
So now let’s get to the fun part, where you get to do a spring cleaning type of thing and change your passwords while going through you accounts.
How to create a good password
Step 1. Use a password generator to create long, complex passwords. You can use some of the options listed here or come up with one yourself. Just make sure to follow step 2.
Step 2. Make sure to use a combination of words, numbers, symbols, and both upper- and lower-case letters, without using adjacent keyboard combinations (such as “qwerty” or “12345678”).
Step 3. Set extra strong passwords for those accounts that are crucial to you (email accounts, social media accounts, online banking accounts, etc.) and make it memorable, so you can use it anytime you’d like. Don’t forget to apply step 2 when doing it. It’ll be good exercise for your memory as well.
There are more tips in this material that can come in handy as well.
Step 4. Test your passwords’ strength using howsecureismypassword.net. This could give you an idea of how dreadfully unsafe your old passwords were and give you a bit of comfort to know that you’re doing the right thing by taking the time to update your credentials.
So, you have your new, long and complex passwords. But you have over 150, maybe even 200 accounts. What now? Well, now comes the part where you get learn…
How to safely store your passwords
Step 1. The rule of thumb you’ll hear and read across the web is to use a password manager. The reason for such a choice is simple: you’ll only have to remember one, strong password and all your other passwords will be protected from keylogging and other credential-sniffing tool that cyber criminals might use.
Step 2. If you want to go the extra mile, you can even consider using more than one password manager application, thus lowering the potential damage if one password-storing service gets compromised (that’s a possibility too). Don’t put all your eggs in one basket, as they say.
When it comes to password managers, you can choose from various paid options or go for the free services. No matter what you choose, make sure to make a habit of storing your passwords there and using these apps across all of your devices.
You might argue that these apps and services are prone to vulnerabilities as well, and that’s very true, but it’s much better than using the same password for every service you use. Plus, password security is their business, so rest assured that they know a thing or two about information security.
Step 3. Where it’s available, two-factor authentication is another great safeguard against cyber attacks. Using this option is especially important when it comes to the critical accounts we talked about earlier. Here’s a comprehensive list of services that offer this option.
Step 4. Be especially careful with the passwords you use for logging into financial services, such as your online banking account. Try not to type these passwords, and try to use a multi-layered protection system against cyber criminals who are after your money (even if you don’t have millions in the bank, trust me, they’re still after it).
You actually have plenty of free options to protect your computer — this list of 13 free PC security hacks to build your online protection could come in very handy.
Step 5. Make sure that, when you log into an especially important account, the website has added protection through HTTPS.
HTTPS is communications protocol for secure communication over a computer network. Its value comes from the fact that it provides bidirectional encryption of communications between a user and server, which protects the user against cyber criminal attacks such as eavesdropping.
If a website you’re visiting does not have HTTPS enabled, you’d better double check its safety and see if you’re sure you want to enter your credentials there. Additionally, you might not want to store your credit card details in that account either.
Step 6. Keep your browser and vulnerable software updated. Every time you don’t have time to perform an update for one of your browsers or on a software such as Java, Adobe Reader or Adobe Flash, a cyber criminal is taking advantage of a flaw left uncorrected. Updates are not only used to deliver better functionality, but security patches as well.
Left unupdated, your software could expose you to serious cyber attacks, such as Zero Day attacks, which are downright vicious. Automatic patching could be your safeguard here, though, because you don’t have to do the whole thing manually. Instead, an option such as Heimdal Free could do the updating for you, silently and automatically.
Step 7. Change your passwords frequently. Even if you’ve set strong passwords, keeping things fresh always helps. By putting together this routine and applying is constantly, you’ll discover a new way of keeping safe online, which will give you peace of mind and a sense of comfort.
Step 8. Don’t compromise yourself. Sometimes, human error is the biggest liability in our data’s security, so try to keep paying attention to how you share passwords. When you’re either delegating work, go for a vacation or a sick leave, give access to business partners, or even when a colleague asks you for a passwords, chose the safe way to do it.
You can share passwords safely through a password management service and some apps even define levels of access (which are pretty common nowadays), so take full advantage of those options.
And also be aware of the people around you. Someone might just look over your shoulder and check out your password. Be mindful of your surroundings, both when you’re online and offline.
Conclusion
Passwords will be around for a while, that’s for sure. Before we start using biometric technology or a groundbreaking innovation comes into play, we will still rely of this method of authentication.
So we make it our mission to protect you and what’s important to you in an era where the offline and the online world are deeply intertwined.
To end things on a funny, but educative note, here’s Edward Snowden talking about password security with John Oliver. It’s a 3 minute video that could, perhaps, talk you into making some changes, if I haven’t managed to persuade you until this point.
Originally published at heimdalsecurity.com on April 21, 2015.
