Internet Safety: Passwords and Securing Your Online Accounts
This was originally all part of one of my other hubs, but I realised that hub was so big that I needed to split it in two, at the very least. Here, I'll talk about passwords - why it's important to make them as strong and complicated as possible. I'll also delve in to other areas related to account access and strengthening security on your devices and online accounts, as well.
Think about where to store passwords
Be careful where you store your passwords. Keeping them all in one place in a txt file on your HDD, especially one that is connected to the internet regularly or shared with other people, is not advisable, in my opinion. You can store them in safer places though. Some browsers like Firefox will have the option to remember and store passwords, and there are programs called password managers, like KeePass or LastPass, which store your passes securely and are opened with a master password. You can even store them online, but the risk is that the site where they are stored will be hacked. The advice then here is: don't enter or store passwords on any third party application or website.
But you might want to consider storing them in other places. You can write them down and store them in a log book, or you can type them out and print them. Then you would store these passwords in a safe or locked drawer of sorts, which is harder to get to than leaving something out in the open for all to see. If you're that worried about someone finding the passes, then if you are heavily in to cryptography, you could invent your own alphabet or code and then encrypt the document, substituting letters or numbers for others. Even a basic one might fool most people. Once you change your passwords and want to dispose of the old ones, then make sure to use a diamond-pattern or cross-cut paper shredder. Also burn the remaining strips afterwards too. You might not think it necessary, but if you have website names, URLs, usernames and the like associated with those passwords written down or typed out, I would strongly consider it.
You could store them on a clean, disconnected workstation – one that is never online. If you do this, at least password-protect the document. In fact, it’s probably a good idea to have backup PCs or laptops. In the event where you think your primary workstation may have been compromised, then you can fire up another one, and go online and change the passwords to your vital accounts. Two systems is good, three is even better. But preferably don’t have all of them linked together on a network or something as viruses can spread that way. Also make sure that you set good, strong account passwords for these systems so that nobody else but you can access them locally.
The best way however is to commit passwords to memory. But this can be near impossible with tricky combinations, let alone multiple passwords.
"Keeping passwords all in one place in on your hard-drive, especially one that is connected to the internet regularly or shared with other people, is not advisable."
Did you know?
People often use the same password for multiple accounts. This is especially true when websites offer the option of being able log in with Facebook, Yahoo, or Google accounts.
Change account passwords frequently
When choosing a password, make sure not to make it too obvious, and more importantly not to make it too short. Passwords should be original, not personal, hard to guess, and contain not just letters, but numbers and even symbols, if supported. A password should be a minimum of 12 characters for your most important accounts. Some will say that it doesn’t matter what your password is, as long as it’s very long, it will be harder to crack using a computer and tools available to hackers. Others will say that this is true, but you should really add spaces between words and make a nonsensical sentence. This is even harder to crack. You get password generators out there that can do the hard work for you, but be sure to use a recommended one, and try not to use any old online-based one, particularly if it's a website that doesn't have a secure connection (HTTPS).
You can afford to have short, fun passes on accounts that are either throwaway accounts, or ones that wouldn’t really interest a hacker. They’re mainly after financial information, online banking, maybe some social networking profiles depending on the hacker’s intent. You might not want to leave anything to chance, though.
You should change your online passwords every now and again. Make sure to do this at least a few times a year. It doesn’t take much effort in the end, and once it’s done you’ll feel safer. You’ve done your bit to prevent your accounts from being hacked.
"Passwords should be original, not personal, hard to guess, and contain not just letters, but numbers and even symbols, if supported. A password should be a minimum of 12 characters."
Watch for keyloggers
Make sure to scan your HDD for malware. You’ll want to be especially watchful of a thing called a keylogger. These come in many forms, and their duty is to log keystrokes on your keyboard. Passwords are then usually uploaded to an email address or server belonging to the hacker. Also consider not only scanning for keyloggers, but using an anti-keylogging program, which will look for keylogger activity, and block keyloggers that might be on your system from initializing on start up.
These programs can often be intrusive though, and block trusted and necessary programs and processes too. One victim in my experience was a program I used to make backup DVDs: the anti-keylogger program blocked it from achieving write access.
There are plenty of tricks you can use, even not using anti-keyloggers. You can use virtual keyboards which don’t rely on key presses, or even mouse clicks. You can just hover the mouse over a key and it will register as an entry. Try out Neo's SafeKeys for example. This will protect you from a few types of keyloggers that rely on logging keystrokes, mouse clicks, screen capture, and clipboard capture. More recent versions of Microsoft Windows even come with an on-screen keyboard, though I'm not really sure how useful it is since I don't use it.
There are tricks one can use not even using a virtual keyboard too, being clever and making it confusing for keyloggers to accurately capture key presses. The general rule is don’t access your accounts from internet cafes and the like, or other people’s PCs. You don’t know what might be lurking on the harddrive which might serve to log your passwords. You also get hardware-based keyloggers too, which could be mistaken for adapters for keyboards and the like. Check the back of the tower to make sure.
"The general rule is don’t access your accounts from internet cafes and the like, or other people’s PCs. You don’t know what might be lurking on the harddrive which might serve to log your passwords."
OTPs and 2-Step verification
Whenever possible, increase security measures on your accounts. Google, PayPal, some online banking services and Facebook provide features such as an OTP (one time password) or 2-step verification. These can be sent to email accounts or mobile devices (at no charge, usually), and contain a numeric password, which you have to enter to either log in to your account, or change settings within it.
The main difference, as far as I know, between the two is that with 2-step verification (Google and Facebook), you can set it so that you only need verify the device you are attempting to log in to your account from once every while (30 days with Google). An OTP lasts as long as the session, and once you log out, if you attempt to log back in, you will be sent another OTP.
So even if a hacker got a hold of your username and password, or tried to hack in to your account, they wouldn’t be able to do much without the OTP, which would be sent to your email address or your mobile for instance. This is a good early warning sign that there’s some fraudulent activity going on in some cases, too. In addition to Facebook's login approval system is a feature where it will log the devices that sign in to your account, and will email you these logs too - called login notifications. Other websites will allow you to check recent logins, successful and sometimes even unsuccessful attempts, complete with IP addresses and locations, to determine if there’s been any fraudulent activity going on. You can also check these IP addresses against those listed in your firewall for good measure. If the IP address looks unfamiliar, then watch out!
Use different email addresses for your various online accounts, and don't reveal these email addresses publicly. You can have "public" or business email addresses for sharing.
The only real way somebody could thwart the OTP system completely is if they actually got a hold of your mobile. The last thing you would want to do is then try to log in, and have an OTP sent to that phone – because if the thief had your username and password, you would essentially be handing them the key to your front door. Otherwise they could attempt to register your number (an existing one) on a new SIM card. This is referred to as a SIM swap. If this were to happen, it would almost certainly be an inside job of sorts, or due to some idiotic negligence on the behalf of your phone carrier.
Forgot your password?
Websites often have a "forgot password" option. So if you forget your password you can have it sent to your associated email address, or make you go through a password reset process.
The only problem is that somebody could change the associated email address when they're in your account. But some websites will inform you that your password or email address or other information has been changed, and will allow you to recover your account if you were not responsible for the changes.
The OTP system might also be possibly circumnavigated if the phone were to be hacked and the hacker somehow managed to intercept the text message or had hacked the email address associated with the account where the OTP would be sent. In these cases, if you receive an OTP without having requested it yourself, be very cautious.
Google has backup plans for events where your phone is stolen. You are required to have a backup phone that you can have your password sent to, and you also have backup access codes that you can print out or write down and keep in case something happened to both phones. If you manage to get into your accounts, change your username and password if possible, and consider reassigning your TFA (two factor authentication) to another new phone - or you could switch off 2-step verification, even if temporarily. Contact support with the company if you need assistance with this. Sometimes you can't change the phone number associated with your account without receiving a password at the number of the phone which might possibly have been stolen or lost.
For this reason, when you are out for pleasure or on holiday (and not business), always carry a spare emergency phone that doesn’t carry anything critical on it. It should have the numbers of your family, close friends and emergency numbers like the local police. Business phones should be kept at home or in the office, or at least stored securely if in a hotel if you don't plan on using them - don't leave them lying around your hotel room. They should be close to you or at least preferably away from others if you can help it.
"Whenever possible, increase security measures on your accounts. Google, Tumblr, Facebook, PayPal, and online banking services provide features such as an OTP (one time password) or 2-step verification."
This is a feature that some websites, including HubPages have. In order to view or change some account information, you need to answer a security question. This will be one that you yourself set up, and you will likely be the only one who knows the answer unless someone who knows you personally manages to get into your account. Maybe you can then intentionally give wrong answers or make security questions harder to answer. Instead of "What school did you go to?", go for something like "What was you mother's maiden name?" or set a custom question that makes no sense to anyone other than you, if possible; "Where in the world is Wally?" - first they'd have to figure out who the hell Wally is!
Oh, and if you can help it, make sure to have different security questions for every account you have.
Never use the same password twice, or recycle passwords. Once you've used a password for a period of time, and then change it, don't ever revert to the previous password, for use with any account. Discard it permanently. Don't use one that is too similar, either.
Captcha and account locks
Captcha is commonly used to test whether a user is human or automated, like a spambot. You'll notice that on some websites if you enter your password incorrectly three times, you will then be presented with a captcha image. If you get the sequence right after typing it in and submitting it, you may still be required to pass another check by replying to an email sent to you, usually by clicking a link within the email. You may then need to change your password for the account in question. With other websites, they can lock you out for a certain amount of time, which can vary - it could be 15 minutes or several hours. You may even need to contact a support number to regain access to your account. You may also be sent an email notifying you of the account lock or attempts to access your account.
Captchas are not really reliable defenses to prevent spam or hacking anymore though since the hackers have gone on to recruit people to enter captchas and the like, for a pittance, in order to assist them in their activities.
Try making passwords in different languages or mix words from different languages. Anything that isn't in the dictionary is a plus, because it would make a dictionary attack (a hacking method) theoretically impossible and not to mention pointless.
Giving out passwords, account sharing
I've read stories of people who share account passwords with other people. I would personally strongly consider not doing this, even if it were someone I trusted dearly, seeing as not only can they go rogue and wreak havoc in your account, they could give that password to other people, they could post it online, they could post the contents of your account online. They could post all sorts of stuff and then blame it on you. You gave them access in the first place.
People in relationships sometimes share account passwords, because they feel there should be trust and no secrets. I just think it's silly. If it's an account of little consequence then perhaps you can. But I wouldn't. If the relationship goes to hell, then you'd better change those passwords quickly before the other person does something. They could lock you out of your own account!
Even some employers are reportedly asking people not only for their social networking profile addresses, but also for the passwords. I would have nothing to do with such an employer, and would walk out of that interview so fast. They have absolutely no right to infringe on one's privacy and security like that.
Check to see nobody is watching or waiting
When entering, storing, or changing your passwords, be sure that nobody is watching you do it. If they see which keys you're pressing, or are able to see the passwords on screen, then they will know that password and might be able to find out which account the password would give them access to. For this reason, when entering a password, make sure that it is masked - in other words, asterisks should pop up when typing it in. "Password" should appear as ******** on the screen. It's like they advise you to do with your bank card pin that you use at an ATM: never let anyone see which keys you're pressing. Also make sure not to leave notes, post-its, or log books with passwords out in the open when other people are around.
Also, if you leave your workstation, make sure to log out if you want to take a bathroom break, or perhaps shutdown your PC completely and make sure you have a password to access the desktop of your operating system (i.e. Windows). While your station is unattended, somebody could come along and look at your files, copy information on to a removable drive, or attempt some sort of fraudulent and potentially illegal activity. This is a good reason to disconnect modems or at least have passwords set up for them so that nobody else can access the internet from your system but you.
In the control panel of Windows you can also set the behaviours of your PC - so for instance if you want to be really safe, you'll need to enter your password on startup, after the PC has come out of a state of hibernation, etc.
If you haven't used an account for more than a few months, consider deleting it, or at least erase all sensitive or personally identifying information pertaining to you in it.
Check accounts for signs of fraudulent activity
This may sound scary, but you should sweep your accounts every now and again to see that there's been no activity other than your own. On Facebook for instance, you'll want to check your profile page, your info, your details, what's viewable to the public, your security information, notifications, latest activity as well as messages. I've read some stories of people who've had their accounts hacked and had to apologise to all the people who received all sorts of nasty messages from the victim's hacked account, sent by the hacker.
Check Point, the makers of Zonealarm internet security products, has a program called Zonealarm Social Guard, which does all of this for you. It will check your social networking accounts for signs of hacking as well as attempt to make social networking safer overall.
In your email accounts, check your inbox, your sent mail, trash, spam; everything. Some email accounts like Gmail allow you to check the logins of all IP addresses that have successfully made it in to your account. For this reason, it might be best to delete critical information from your inbox once you've read it or taken the appropriate action required - particularly emails that contain usernames and passwords. These can be sent to you when you use a website's "forgot password" feature, or after you've registered. Also, refer to the section in this article on 2-step verification.
It would also help to avoid storing contacts within your email client so that the hacker can't spam them or try a phishing attack or something (which they might fall for seeing as it's coming from a trusted source - you). Most email clients, particularly webmail services, like Gmail, tend to store this information automatically though, and it might be a bit hard to stop it from doing so.
"You should sweep your accounts every now and again to see that there has been no activity other than your own."
Spelling mistakes might actually be a good thing when it comes to passwords. So even if someone knows what the password is if carelessly revealed by word of mouth, it will still take them ages to get the spelling right (or wrong in this case), particularly with long passwords.
Password Problems - Troubleshooting
If you're having trouble accessing your account on a website, first check the following:
- Maybe you typed in your email address, username, or password incorrectly.
- Perhaps you have your password recorded incorrectly compared to what is stored on the server?
- You're attempting to use an old username or password. You changed it, so you have to use the new login details.
- In some rare cases, password changes don't go through, perhaps due to problems with the website, or your internet connection dropped while you were changing your login details.
- Do you have adblocking or script-disabling add-ons in your browser like AdBlock Plus or NoScript? If so, disable these or at least allow scripts on that website or page, even temporarily, and try to log in again.
- Which browser are you using? You should be using something like Firefox or Chrome - the most secure ones. At least, you should be using a version of IE, although I wouldn't personally recommend it. Other browsers like Opera and so on might not be supported by the website in question. Try logging in from a different browser.
- The website may have reset your password. Some websites may reset your password or notify you that your password will be reset the next time you log in for security reasons.
- Your account may no longer be functional, as in it's a dormant account, or one that has been completely deleted. Dormant accounts may be able to be reactivated, and other times not. You must make sure you log in to your accounts fairly regularly to keep them active.
Only then, after you have gone through all of these possibilities can you assume your account has been hijacked, and the password changed, or the entire account closed. Some websites will notify you via email of password changes and will also prompt you with confirmation emails if you try to delete your account.
8 characters, letters, lower case
10 characters, lower case, upper case, numbers, punctuation, special characters
Did you know?
Password strength is measured in bits. The higher the number, the stronger the password, and the more secure the device or account will be as a result.
Check your password strength
It might be a good idea to check how strong a password is. You can use a program for it or use a web-based service. The only thing is, you should check to see that website is reliable and uses a secure connection first. Microsoft has a password tester.
To conclude: password do's and dont's
Most people in the know will tell you that the requirements for a strong password are:
- letters (lower and upper case, e.g. a; A)
- numbers (1)
- special characters (e.g. @ or #)
- punctuation (e.g. ? or !)
- spaces (if supported, otherwise you can use special characters for this purpose e.g. and-then).
- must be at least 8-12, preferably 15 or more characters for your most important accounts.
- The password must not have two characters exactly the same consecutively (e.g. aardvark).
- The password should be original, not personal (like your name), not obvious, and hard to guess.
- Preferably the password shouldn't be in the dictionary.
Do you take passwords and account security seriously?
© 2012 Anti-Valentine