unknowingly Every few weeks, we hear the news that another major corporation and its website has been hacked, just last week we heard about Equifax being hacked and data on millions of users being compromised. We of course only hear about the major newsworthy hacks which have been discovered or disclosed, but the scary truth is that around 30,000 websites are hacked every single day.
Often these hacks mean your personal information has also been compromised, most likely without your knowledge as often website owners either do not know they have been hacked, or choose to keep it quiet. In this post, I cover the important reasons for why you should use a password manager to protect your online identity.
Passwords & Online Security Best Practices
Most websites rely on a simple login process for a user to gain access to their account–a username and password.
As an online security best practice, you need to have long, complex and unique password for every web account you use.
Strong passwords need to be:
- Long – The more characters in a password, the longer it would take a hacker to guess your password. I recommend at least 20 characters.
- Complex – By adding additional characters to your password you add complexity or password entropy. Password entropy is a measurement of how unpredictable a password is, based on the character set used (a combination of lowercase, uppercase, numbers, and symbols) as well as password length. Basically, your password needs to be something you could never pronounce.
- Unique – You need a different password for every web account you use. Yep, that’s right. Every login on every website needs to be unique and never reused.
Unfortunately, in the real world, meeting all three criteria for strong passwords is basically impossible without the use of a password manager.
Why Use a Password Manager? The Nightmare Scenario
So why is having a long, complex, unique password important?
If you use the same email address and passwords for multiple websites that you log into (as a lot of people do), what happens when one of those websites gets hacked?
The hackers now have your username and password on a list that will be used to try to log into thousands of other websites around the internet. If you use the same email address and password for all your websites, now the hacker will be able to log into all your accounts at once and get access to all your personal data and details. If those same login details are used for your email account as well, they can now access
If those same login details are used for your email account as well, they can now access pretty much anything. Any site they cannot get into, they can simply issue a password reset, which will come to your email, which they now have access to. Identity theft at this point is a high possibility.
Once your password has been compromised, you now have the challenge of updating your information individually on every single website that has the same login information. Do you even remember them all? If you use the same email and password again on each one, you’re probably going to have to repeat this process again in the future.
Don’t Use Common Passwords
Here’s Keeper Security’s list of the most common passwords of 2016. Do you recognize any of them?
These are all lazy passwords, achieved by just pressing keys that are next to each other on the keyboard, and are easily hackable in seconds by automated hacking tools.
| 1. 123456 | 10. 987654321 | 19. 555555 |
| 2. 123456789 | 11. qwertyuiop | 20. 3rjs1la7qe |
| 3. qwerty | 12. mynoob | 21. google |
| 4. 12345678 | 13. 123321 | 22. 1q2w3e4r5t |
| 5. 111111 | 14. 666666 | 23. 123qwe |
| 6. 1234567890 | 15. 18atcskd2w | 24. zxcvbnm |
| 7. 1234567 | 16. 7777777 | 25. 1q2w3e |
| 8. password | 17. 1q2w3e4r | |
| 9. 123123 | 18. 654321 |
Don’t us ethe name of the website you are logging into with a few extra characters added.
e.g.
Amaz0n123!
You also should not create passwords from personal information, such as your name, names of family members, pets, date of birth, the place you met your partner, etc, as all of this information is usually easy to find out (probably on your social media profile/posts etc), and hackers will also try this first.
Don’t just use a word and replace letters with similar-looking numbers, hackers also know people do this, and this is also one of the first things hackers will try.
e.g.
using El3ph4nt! instead of Elephant!
replacing o with 0’s (ZERO)
replacing i’s with 1’s
replacing e with 3’s
replacing s with $’s
replace A with 4’s
Security Questions
The use of security questions is a common solution used by websites and organizations as an additional method of identification and also as a way to reset your password.
But this has also now become a major issue, as users regularly give out the answers to their security questions on their social media accounts, such as the name of their first dog, where they met their spouse, etc.
So once the cybercriminals have scraped all this personal information from your social media profile and posts, chances are they will have the answers to all your security questions and will be able to use that information to then reset any of your passwords or even access your telephone banking.
Plus there is the fact that most websites ask the same security questions. So if one website you use gets hacked, the hackers know the answers to those security questions, and can answer them on any other website where you have used them as well.
So I recommended that you never give honest answers to these security questions, instead give fake answers for every account or website you use, and store those details in your password manager too.
Password Managers vs. Browser Password Storage
Note: While most major web browsers today will offer to remember your passwords and fill them in automatically for you, this is for convenience and not security.
A Password Manager such as 1Password not only remembers your login information but also helps you generate long, complex passwords and stores them and other useful information securely.
You may have noticed that your browser prompts you to save login details, but be warned that the password storage built into your browser is a solution of convenience, but is not secure. Anyone using your computer can access those saved details and log in to websites, plus you will not have access to those details from other devices. Also bear in mind that if you lose your device or it is stolen, or your hard drive dies, or any disaster, you have lost all those details.
Malicious software (malware) can also easily extract those passwords from your browser.
Which Password Manager to use
There are numerous excellent password managers available, depending on your budget and requirements. However, I would recommend staying away from LastPass, as they have been hacked several times now, and have been very sketchy with the details and informing their users. FYI, I now use Bitwarden myself.
I will also give an honourary mention to Microsoft Authenticator, with is a free 2FA mobile app that also has a built-in password manager. It is very basic, but may suffice if you only need to manage a few passwords and have simple requirements. However, do bear in mind, since it is only available as a mobile app, it is only useful if you only use a mobile device and not a desktop PC or laptop. If you do use other devices for logging into websites, then you would have to manually type those long, random, unique passwords every time, which is prone to error and typos, so not fun at all.
It is also worth mentioning that if you use BitDefender Anti-Virus or Kaspersky, then these both come with a simple password manager, although they are quite basic.
Ultimately, using any one of these password managers is a good choice and is better than not using one.
So as well as passwords, it is great for storing bank details, licenses, card details etc, and is very easy to share passwords with other people. It is also really secure, with many solutions you can set your account to auto-lock after xx minutes so that anyone else using your computer cannot access your passwords without your master password. You also have the option of 2-factor authentication.
However, it can be over complicated for the same reason if you are not very competent with computers, in which case one of the simpler solutions might be better for you for personal use.
You can find a review of the top password managers on the wired website here.
2 Factor Authentication
Two-factor authentication (2FA), sometimes referred to as two-step verification or dual-factor authentication, is a security process in which users provide two different authentication factors to verify themselves.
For the average person, this is done via an authenticator app on your phone or via an SMS message with a code that is sent to you when you login. You should always enable 2FA whenever it is available.
2FA is implemented to better protect both a user’s credentials and the resources the user can access. Two-factor authentication provides a higher level of security than authentication methods that depend on single-factor authentication (SFA), in which the user provides only one factor — typically, a password or passcode. Two-factor authentication methods rely on a user providing a password as the first factor and a second, different factor — usually either a security token or a biometric factor, such as a fingerprint or facial scan.
Two-factor authentication adds an additional layer of security to the authentication process by making it harder for attackers to gain access to a person’s devices or online accounts because, even if the victim’s password is hacked, a password alone is not enough to pass the authentication check.
Two-factor authentication has long been used to control access to sensitive systems and data. Online service providers are increasingly using 2FA to protect their users’ credentials from being used by hackers who stole a password database or used phishing campaigns to obtain user passwords.
There are numerous authenticator apps available, but a popular free solution is the aforementioned Microsoft authenticator.
Unless it is the only option available, I would recommend against using SMS as your 2FA method, as this also is not especially secure, as SMS messages can be intercepted.
