I’ve noticed a lot of friends have been getting hacked lately. A number on twitter, and even worse, in g-mail. This post is to give you a bit of information on why securing your accounts is important, and how to do it. It’s a bit long, but I think worthwhile. I’ve bolded the most important points for those short on time and don’t care to see the importance behind some of these practices.
Now you may not think you’re at risk for some cracking into your account. You’re not important enough for some ex-KGB or Al Qaedi operative to discover your secrets. But hackers today aren’t usually concerned about breaking into one persons account. They are trying to break hundreds and thousands of accounts and make lots of money by stealing a little bit from everyone. At best they’ll send out embarrassing spam e-mails and tweets to all your friends, family, and co-workers. At worst they’ll convince grandma to wire thousands of dollars overseas to save you from a faked emergency. And frankly it would be bad enough to just lose access to all your e-mails, even for a few days.
Different passwords
Now it’s nice to think we can trust all these technology companies with smart employees to keep our information secure. But the sad reality is they are not good at it. And even if the important ones, the ones hosting your e-mail, or access to your financial information are secure, there is probably one fun little website you have an account on that isn’t secure.
But who cares if someone gets access to that account, right? You barely even use it. But are you using the same password for that account and all your other important accounts? And did you register all those accounts with the same e-mail address? If so, the hacker has both the password for all those accounts, knows your e-mail, and can probably get into your e-mail. From there it’s not too hard to find the rest of your on-line accounts. The security hazards from multiple accounts can get even more complicated as this Wired writer found out.
The first step you can take to prevent this is start using different passwords for all your different accounts. Or at least using different passwords for all your important accounts. Now, you’re probably thinking “How am I going to remember all those passwords?” The good news is you don’t have to.
I use KeePassX (a clone of KeePass for Mac and Linux). I only have to keep track of one password that gets me into KeePass, and KeePass keeps track of the rest of my passwords. They are encrypted and stored on my computer and not on the cloud, unless I choose to put it there. Though there is the extra step of opening KeePass to login, it has handy shortcuts to speed things up. Ctrl+U opens the selected account’s website. Ctrl + V copies and pastes your username and password into the website and logs in. Not only do you not have to remember your password, you don’t even have to type it (see the KeePass Tutorial to get you started). There is also MiniKeePass and KeePassDroid for iPhone and Android if you log in to a lot of accounts through your phone. I keep my passwords on my phone in sync with my computer with SpiderOak (also encrypted) so I don’t have to worry about keeping them in sync.
Smart passwords
Using different passwords isn’t enough. You also need to use smart passwords. Let’s do a quick math lesson. We’ll start by restricting ourselves to a two character long password, and look at how adding more choices for each character increases the possible number of passwords. We start with numbers, add letters, uppercase letters, then some punctuation.
Characters and options per character |
Possible passwords |
00-99 numbers only (2 characters, 10 options) |
100 passwords |
00-zz add letters (2 char’s, 36 opt’s) |
1296 |
00-ZZ add uppercase (2 char’s, 62 opt’s) |
3844 |
add common punctuation (2 char’s, 80 opt’s) |
6400 |
Now obviously a two character password is a bad idea. Even low powered modern computers could churn through those options in moments. But hopefully it illustrates that point that more options per character are better. Now let’s just look at increasing password length using numbers only.
Characters and options per character |
Possible passwords |
00-99 (2 characters, 10 options) |
100 passwords |
000-999 (3 char’s, 10 opt’s) |
1000 |
0000-9999 (4 char’s, 10 opt’s) |
10000 |
00000000-99999999 (8 char’s, 10 opt’s) |
108 |
Here the increase in possible passwords is more dramatic. And it’s even better when we have more options for characters.
Characters and options per character |
Possible passwords |
6 characters, 80 options |
2.62144000000×1011 |
8 characters, 80 options |
1.6777216×1015 |
12 characters, 80 options |
6.871947674×1022 |
15 characters, 80 options |
3.518437209×1028 |
These are some ridiculously large numbers. Passwords from the first two tables take seconds to days to crack. At the bottom of the last table it starts taking years to centuries. Now you understand why some sites require a long password with some numbers and characters in them. It’s not just to make your life difficult.
Unfortunately most people are lazy in their passwords and hamstring the effect of longer passwords with more characters. And because a lot of people are lazy this gives hackers the advantage. If you want the gory details, check out Why passwords have never been weaker—and crackers have never been stronger. In summary, hackers have been able to break a large number of passwords, and they now know the types of passwords people use.
Typically, to meet tough password requirements but make something they can remember people will make something like this: HappyDuck96! This seems like a good password. It’s twelve characters long, using numbers, lower and uppercase letters, and punctuation! That means hackers have to go through 6.87×10²² passwords to crack it, right?
Wrong. This password follows a common pattern to make it easy to remember. Two common words, each starting with an uppercase letter, followed by a number, ending with a punctuation. If hackers only try to break passwords that follow this combination they only need to try around 5.88×10¹³ (171,4762 ×102 × 20) passwords. This stills seems like a lot, but this number is about one billion times smaller than the first number, with about one billion fewer passwords hackers need to cycle through. The key lesson is don’t use words in the dictionary (or even common misspellings), and mix in the capital letters, numbers, and punctuation.
How will you ever remember a password like that? There are two solutions. First is using something like KeePass which I’ve mentioned above. It can even generate strong passwords for you so you don’t have to struggle to come up with a new one. But there may be some sites where you don’t want to be dependent on KeePass, and need a strong password that you can remember. Here’s where the second option comes in.
To come up with your password, first think up a phrase. Then take the first letter of each word in the phrase, mix in some capitals, numbers and punctuation. For example, we get “bgw0Mhgb4!” from “boldly go where no(0) man has gone before(4)!” The phrase behind it makes it easy for you to remember. But it’s difficult to guess as the phrase behind it is not obvious. There are a couple of caveats. One, don’t use common phrases (like in our example) but just make up a phrase on the spot. Then only you’ll know the phrase. Two, don’t always stick punctuation at the end. Predictable patterns are always a benefit to hackers. Three, make sure you memorize that phrase, and what tweaks you’ve made to it. Do you remember which letter you capitalized? Which letter you swapped for a number? For this reason, it’s always good to store the password in something like KeePass just in case memory fails you.
2-step verification
This is probably the easiest solution to use, but it’s not always available. Many websites now are offering two-step verification. It works like this. Any time you log in from a new computer you’ll be asked for a verification code. This code will either have been texted to your phone, or generated by a special program on your phone. To access your account you need this second code. This means even if a hacker discovers your password, they also need your phone to log in to your account. Pretty unlikely since most hackers have no idea who they are even hacking. Of course, you’ll want to confirm that this system works. If you don’t get the text messages, you may find yourself unable to access your account.
There can be a bit of setup to this, and problems like losing your phone. If you can’t But there is a great walk through for two-step verification for g-mail that makes it pretty easy, and shows where some of the challenges come in. And there are a lot of other sites that use 2-step verification. If there’s a web site that stores a lot of important information for you, and it’s not using two step verification, why not request they start?
Unsecure sites
Another key thing to do to keep yourself secure is recognizing sites that are blatantly unsecure. The most obvious sign is if a website ever sends you your password in plain text. This isn’t your initial password that was automatically created which you are supposed to change immediately. Of course you need them to send you this. But if you’ve created your own unique password and forgotten it, if they then send an e-mail with that password in it, that means they are storing your password in an easy to read file.
Most servers store passwords in an encrypted state. They don’t know what your password is. The way you can log in is once you enter your password, they encrypt it and check it against the encrypted version. But if a website sends you your password in plain text, it means a hacker only needs to break into their server, and they have your password. You should stop using this website immediately and let them know why.
Recognizing hacked friends
It is usually pretty easy to recognize friends that have been hacked. They start sending out short e-mails with links and not much explanation, or posting racy videos on facebook that are out of character for them. It’s important to recognize this for two reasons. One, you can be a good friend and let them know. They need to change their password immediately and the sooner they know the better. Two, you don’t want to click on that link. Often there are security flaws where clicking on a link can allow someone to log into your account. These aren’t too common, but it’s best not to click on the link anyways.
In the more serious case you won’t be getting sent a link trying to sell you something. Instead you’ll be getting an e-mail with a horror story of what happened to your friend and pleas for money to help them out. The first thing you should do is call this person. Call even if they claim to have lost their phone. You owe it to them to check.
Second, see if there’s a way you can help them let people know they are alright. If you can see the people the e-mail was sent to, e-mail them once you’ve talked with your friend to let them know everything is all right. And make sure the people who are least Internet savvy, and who are most likely to be sympathetic to their plight, like close family members, are contacted quickly.
Finally, if things are really bad, help them through getting their account back. Usually they just need to log in and change their passwords. But it the worst cases you’ll need to be in touch with the company the hacked account is with. They’ll need someone who is calm to help them through the process of finding who to contact and what to do.
Wrap up
Getting hacked is one of the downsides of the technology age. I hope this educated you on what steps you can take to protect yourself on-line, and now you can be a digital citizen with more confidence. If you have any questions please ask in the comments. And if you’re a tech savvy friend who has spotted an error, or has recommendations, please comment.