With the recent announcement of the Heartbleed bug in OpenSSL (http://heartbleed.com/) and its effects on secure internet traffic and what the “padlock” symbol really means, it would seem that now would be an opportune time to discuss good password policy.
While it is impossible in this day and age to guarantee that your password will never be hacked, that your details will never be stolen, for 99% of people it’s probably possible to do more to protect themselves from having their accounts or details stolen.
There are 8 basic rules you should follow (and they’re pretty easy) in everyday life to help ensure your details are safe.
Rule One – Choose A Decent Password
I choose my password by selecting a song I like and then grabbing the first letter of every word in the chorus (or a favourite verse) of the song. This way, so long as I remember the song, I remember the password.
I then add some numbers that I can relate to (e.g. the last two digits on your driver’s license) to either the start or the end of the resultant password, and then add a special character.
So, for example, if I wanted to use “Simply the Best”, I might end up with a password like this:
Ystbbtatr34$
So long as I remember that the first letter is uppercase, the verse “You’re simply the best, better than all the rest”, have my driver’s license and know that I’m using a “$” symbol at the end, I’ll never forget the password.
And it’s practically unhackable.
Rule Two – Never Save Your Password Or Write It Down
Okay, maybe write it down until you remember it well, but then delete the file or shred the paper.
But never use browsers or plugins or any kind of tool to “remember your password” for you. You never know what’s going to happen to your computer or smart device and who’s going to end up with it.
Rule Three – Use At Least Three Passwords (Preferably Four)
People say you should have different passwords for every website. That’s fine in theory, but in practice you’re never going to remember that many. There are programs and browser plugins that you can use to “store your passwords”, but that would violate Rule Two.
I figure most people can remember three different passwords. I figure most people are probably already doing it.
The catch here is making sure that each password is sufficiently different – not just a variation of one of the others. Choose a different song. Replace a letter in the middle such as an “s” with a dollar sign ($). Do something different in each case so you can’t extrapolate one password from another.
So divide your websites into three categories and select three passwords as follows. The important thing is that each password never gets used in any other category than what it was originally intended.
- Your “general untrusted Internet password” – use this across pretty much every site that you sign up to on a day to day basis. You should consider this your least safe password, and the websites you use it for should fall into the category of “if this gets hacked, I don’t really lose anything much”.
Thus, if you store credit card details with a site (such as Amazon), you should not use this password for that site. - Your “trusted Internet password” – use this across the sites that you trust (more than others) will handle your details properly. Sites like banking websites, Amazon, etc.
- Your “email password” – this is for your email account and only your email account. The purpose of this is that since most websites now use email as a means of “resetting passwords”, if any one of your website accounts is hacked the hacker cannot also login to your email account.
Obviously the hacker can change your password if they wish (provided they already have your original password and didn’t just get onto your computer because you left your account logged in and walked away), but either way you’ll probably receive notification of the change in your email – and then you can do something about it.
In an ideal world, you would also have a separate password for social media sites, so if you can remember 4 passwords, then do this.
I actually keep separate passwords for Amazon and PayPal as well, and my banking passwords are also isolated, so in total I have about 6 or 7, but then I have a good memory for this kind of thing.
Rule Four – Use The Same Email Account For Creating All Account
And make sure you check it regularly. Don’t use an account that you never, ever check, because then you’ll never, ever see the notification emails, and most websites use an email address for notifications and resetting passwords, changes to passwords, and updates to account details.
Use the same email address for all sites, and make sure that the email address you use has its own dedicated, secure password as per Rule Three above.
Rule Five – Be Careful What You Put In Emails
Newsflash: emails are not encrypted (unless you know they are because they have specific encryption methods like PGP). They can be plucked out of thin air and people can read what’s in them if they really want, so be careful what you put in an email.
First, if you’re going to put your password in an email, open up Word first, type the password, grab a screenshot of it, paste the screenshot into the email as an attachment, and send that. Yes, the password is still in the email, but it’s now in a picture, and a simple bot “scanning the text in an email to look for password-like words” won’t cut it anymore. All of a sudden reading your password from your email gets a lot more complicated.
If you’re going to put your credit card details in an email, they should be split over two emails: one for the CC number, and one for the expiry and CVV (if applicable). Do not ever put all the details in the same email. You can also use the “type it and grab a screenshot method” above for added security as well.
Rule Six – Do Not Trust Websites That Can Tell You What Your Password Is
Passwords should be stored by websites in an irreversible encrypted fashion, meaning that once you have set your password, the password is encrypted and stored in its encrypted form and it cannot be unencrypted. This means that if you were to call up the company behind the website and say “can you tell me what my password is”, the correct answer is “no, it’s not possible because it’s encrypted and it cannot be unencrypted”.
This is why most websites use password “reset” features to generate a random password for you when you forget it.
If the website (or the call centre for the company) is capable of telling you what your password is when you’ve forgotten, this means your password is unencrypted and, if the website is hacked, it will be visible to all and sundry.
In such cases, consider your details open to the public and either do not sign up for an account or, alternatively, choose another password entirely.
Rule Seven – Do Not Follow Links From Emails
Unless you’re tech savvy and know how to spot a phishing website by the URL, do not follow links from emails to login, especially to banking, PayPal, Amazon or any other site that stores your credit card or financial information. Phishing scams can look very legitimate and basically it’s just a means to get you to tell them what your password is. It doesn’t matter how unhackable your password is (see Rule One) if you just blindly go an give it away to phishing sites.
Worse, they often redirect you to the actual website after you enter your details, so you might not even know you’ve given away your details until you notice dodgy items appearing on your credit card statement. And that might not be for months.
Put simply: if you want to login to your banking account, or PayPal, or Amazon, or any other site like that, type the URL into a browser or get Google to bring it up for you in a search.
Never, ever, login to a financial website after clicking a link in an email.
Rule Eight – Change Your Passwords At Least Once A Year (Or If You Suspect A Breach)
I know it’s a pain, and if you’ve followed the rules to date it’s probably not that necessary, but you should change your passwords at least once a year just to be safe.
And if you suspect a breach or hear about a possible breach from a company that has your details (like recent leaks from LinkedIn, Telstra, PSN and so on), then change your passwords immediately.
All of them, not just the ones you think have been leaked.
That’s it!
Well, that’s not it. Not really.
There are plenty more things you can do, like ensuring you never enter your password into any form that doesn’t display the SSL “padlock” symbol, using a VPN, or locking yourself in a padded room and never coming out.
There are probably better ways to pick your password and some people probably have better ideas about how to secure their online experience.
For most people, though, these tips should get you most of the way to a safer, more secure online experience.
By Christian Brenner (Technical Lead - NOW Digital)