Guide to Safe Passwords

Our online accounts – social media, personal letters, medical records, bank accounts and more need to be protected from hackers & theft with your best defence being your password.

As long as someone can’t log into your account, they can’t read your email or transfer money out of your bank account.

 

If your password or PIN is captured, guessed or stolen an attacker can potentially:

 

  • Withdraw money from your bank accounts
  • Change files on your computer
  • Install viruses & malware on your device
  • Send emails from your accounts
  • Pretend to be you & perform various financial/account actions that could be disastrous for you.

 

Passwords should be strong, diverse, and multi-factor

 

  • Use passwords that are strong and different for each site
  • At least 10 characters long
  • A mix of upper and lower case letters, numbers and other symbols.
  • Use a password manager to help or an address book
  • Set long, random answers for security questions & keep a record of them (even if they’re not the truth).
  • Use two-factor authentication on any site that supports it.
  • Change your passwords regularly & NEVER share them

 

Following these steps takes some discipline and will make it harder to log in sometimes however in today’s internet, where thousands of passwords are stolen every day and accounts are traded on the black market, it’s worth some inconvenience to keep your identity, money & online life safe.

 

 

So when you ask how secure your account is, you’re really asking how safe your password is.

And that means you have to think about all the different ways that an attacker could access your account’s password:

 

  • Seeing you use it with an unencrypted website
  • Guessing it
  • Stealing a file that has your password in it
  • Using password recovery to reset it
  • Tricking you into giving it to them

 

How do Hackers get Passwords?

 

A common technique which hackers use is to get passwords by phishing pages, where a hacker will send a login page of Gmail or Facebook for example and it will look exactly the same as real Facebook login page/Gmail login pages.

 

Most of the time they use Social engineering tricks like, they will send message saying “This person has posted your bad picture on Facebook, click here to check your photo”. When you click on the link, you will be taken to login page of Gmail or Facebook for example and it will look exactly the same as real Facebook login page/Gmail login page.

 

As soon as you enter your password, it will be sent to the hacker. If you’ve used that password on other accounts, then they can be also targeted by the hacker.

 

How should we protect our passwords and logins?

 

Use random passwords and use a different password for every site. The secret is to use a whole lot of randomness. When criminals try to guess passwords they use automated software that can guess thousands of passwords per minute. The longer and more random your password is, the less likely that these guessing techniques will find it.

 

Make passwords easy to remember

 

Think of a pass phrase and then change some of the characters to make it a strong password.

For example:

'June School Holidays' can be modified to 7un3Schoo1Ho!id@ys

'I like Australian red wine' can be modified to 1like0zzieR3dw1ne

'Be good, be wise' can be modified to B3g00db3wi5e$

 

Make your answers to security questions just as strong as your passwords – try to avoid generic questions such as ‘Your mother’s maiden name’ ‘Your nieces name’ etc.

Try to make your own security questions up where possible. What's important is that you remember it (DON'T FORGET to keep a record of the questions & answers). It’s OK to lie here!

 

My daughter’s maiden name is “Slighoople”

 

Use “two-factor authentication” to the login process wherever you can – this uses a code sent to your mobile phone that you need to enter to login. Which means that even if an attacker has your password, they can’t log in to your account unless they also have your phone. (And vice versa — if your phone gets stolen, they can’t log in unless they get your password.)

 

Pay attention to the browser’s security signals, and be suspicious – Use encrypted websites that start with https://www

 

Use a password manager on your PC, smartphone or tablet.

It will generate and remember super secure passwords for you and some will sync between your devices. Remember there can be a downside that if the password manager is breached, all your information is accessible. However, all reputable password managers encrypt their databases with a “master password.” The master password is safer from theft than normal passwords: Because it never gets sent to a server (just used on your computer to encrypt the database), an attacker has to break into your computer in particular, rather than a server where he can harvest millions of accounts.

 

Do not include:

 

  • Recognisable words or names, in any language
  • Repeated characters
  • Personal information
  • Anything you have previously used.

 

Going old school. Just keep your written passwords in a safe place!

 

An address book is a good way to keep track of your passwords – Keep the book in a secure location & guard it well.

 

 

For example:

Under Y, you could enter: me@yahoo.com.au, your username, password & security questions & answers – write the date that you’ve created the password, then when you change the password next time, add the new date & password.

 

 

Tip – use pencil for your passwords, then you can easily erase them and add the new one when updating.

 

Using strong passwords lowers overall risk of a security breach, but strong passwords do not replace the need for other effective security controls.

 

Maintain password and PIN hygiene to keep them safe

 

  • Don't use the same password for multiple services or websites.
  • Don't share your passwords with anyone.
  • Don't provide your password in response to a phone call or email, regardless of how legitimate it might seem.
  • Don't provide your password to a website you have accessed by following a link in an email – it may be a phishing trap.
  • Be cautious about using password-protected services on a public computer, or over a public Wi-Fi hotspot. see our post on Free public WiFi Free public Wi-Fi
  • Change your passwords regularly, at least every three to twelve months. If you think your password may have been compromised, change it immediately and check for any unauthorised activity. If the same compromised password has been used on another site, create a new password there as well – (another example of why you should use different passwords for different accounts & logins.

 

Treat PINs in the same way you would a password

 

  • Don't use obvious patterns like 1234, 4321 or 7777.
  • Don't use postcodes, birthdays, house numbers or other significant dates and numbers.
  • PINs should be a random mix of numbers, letters and characters.

 

Look for the lock

 

It’s easy to prevent attackers from stealing your password when you log into an unencrypted website: Never type your password unless you see a lock icon in the URL bar, like this:

 

 

The lock means that the website you’re using is encrypted, so that even if someone is watching your browsing on the network (like another person on a public WiFi hotspot – see our post on Free public WiFi), they won’t be able to see your password.

Browsers are starting to roll out features that warn you when you’re about to enter your password on an unencrypted site.

From January 2017, users of Google's Chrome Web browser can now see a conspicuous “not secure” label next to certain websites that use an unencrypted HTTP server. The label will only appear for sites that transmit passwords or process credit card transactions.

 

When an attacker steals the password database for a site that you use (like Twitter or Yahoo), there’s nothing you can do but change your password for that site.

That’s bad, but the damage can be much worse if you’ve re-used that password with other websites — then the attacker can access your accounts on those sites as well.

To keep the damage contained, always use different passwords for different websites.

 

 

Finally, most websites have a password recovery system that lets you recover your password if you’ve forgotten it. Usually these systems make you answer some “security questions” before you can reset your password. The answers to these questions need to be just as secret as your password. Otherwise, an attacker can guess the answers and set your password to something he knows.

 

 

Randomness can be a problem, since the security questions that sites often use are also things people tend to know about you, like your birthplace, your birthday, or your relatives’ names, or that can be gleaned from sources such as social media.

The good news is that the website doesn’t care whether the answer is real or not — you can lie! But lie productively:

Give answers to the security questions that are long and random, like your passwords.

 

More factors, fewer problems!