So… I have seen it a couple of times in the past month. A facebook friend has described how their bank account was “hacked”. Behind the scenes, however, they have “logins” for around 200 different websites, and on all of those websites – they share a common username/password wherever possible.
The problem is that when people make a password – they tend think of a specific arrangement of characters and symbols they can remember. Sure, Big84Brain!@% is a fine password… but if you use it everywhere, you’re asking for trouble.
Let’s take the above as an example. Let’s say you use that password for everything – your email, your bank, pinterest, facebook, twitter, amazon, and a couple of other small sites you visit. Uh-oh, problem…. one of the “small sites” gets hacked. In the process, the hacker gets a list of usernames and passwords. Now. all he/she has to do is write a script that tries to login to financial institutions with the list of usernames and passwords they recovered. Since you use the same password on your financial institution, if it’s one the hacker targets – your account will certainly be compromised.
Your password wasn’t horrible – it wasn’t just a dictionary word. It had upper and lowercase characters, it had numbers, and it had special characters. That all being said – your decision to use this “secure” password on every single site you visit has now caused your bank account to be drained. What’s a solution?
If you don’t want to use a password manager like 1password (1password.com) it’s good to think patterns rather than specific passwords. Patterns should make sense to you and result in a different, somewhat nonsensical password for every site you visit.
Want a simple example? Pick a base word – let’s say it’s “love”. Alone, it’s a horrible password. Now capitalize the first letter and add in your birth year – lets say its 1974. Now you have Love1974. Still horrible. So, shift the first two numbers of your birth year and add those in. Now you have Love!(74.
You still have a problem – because it’s too short, it contains a dictionary word, and it’s not unique to the site you are visiting. So, maybe try this… add in the 1st, 3rd, and 6th characters of the name of the site you are visiting at the end and put the partially shifted birth year in the middle of “Love” – applying this pattern, now you have the following hypothetical passwords for the following sites:
Facebook.com – Lo!(74vefco
pinterest.com – Lo!(74vepnr
hotmail.com – Lo!(74vehti
Notice something here? You’ve created a pattern that makes sense to you and is easy to remember, but creates nonsensical passwords that are different for each and every site you visit or service that you use. Hackers work by brute force – they won’t likely try to figure out patterns – they will try what works and move on. An ounce of prevention means hundreds of pounds of risk gets reduced for you. Come up with a pattern that makes your password unique on each site you visit – don’t make yourself a “victim”.
Now… this is a simple example… put your creative hats on and think pattern rather than password. Make sure you have something you can remember, something that uses numbers, special characters, and maybe even a couple of dictionary words mixed in – make the pattern memorable, and make sure it generates passwords that are at least 10-12 characters long. Once you come up with one, promptly go and change all of your passwords to fit your pattern – especially those you care about the most.
Once that’s done – for an extra dose of security, enable 2FA (two factor authentication) on any sites that are important to you that offer it. Banking institutions almost always do, Facebook does, Microsoft does, Google does. In this regard, even if someone has your password – they need the second factor (commonly a code received by text or push notification) in order to successfully breach your account – and when you get a mysterious text or push with a login code and you aren’t trying to login – you instantly know you’ve been compromised – but, unless they have the second factor, they have not successfully logged in. In this case, you just log in, change your password again, and move on. There are many other 2FA options (YubiKey, for example) – but that’s fodder for another post later on. For now – just stop repeating passwords 🙂