Perfect password first line of defence against cyber crime

1st August 2018

Until I started research for this article I confess that I used the same password for nearly all of my online accounts. That single password was ‘strong’ and I created it using the suggestions that I detail below. But that’s not really the point, it would have taken only a single hacker a single hack to access an alarming amount of my personal data.

Using the same password for all of your accounts is like having the same physical key to every single lock in your life: your front door; your back door; your post box; your car; your bike; your diary, your office; your desk; your jewellery box; your bedroom. It may be delightfully convenient and save your pockets or handbag from sagging under the jangling weight but imagine that one key is stolen and on the keyring is your home address and your work address.

Multiple accounts but only one password
These days we seem to notch up online accounts (each requiring a password) as unthinkingly and as regularly as Donald Trump fires out crass and chaotic Tweets. Our email accounts, our Amazon account, perhaps Netflix or Spotify, that holiday rental company we signed up to, our supermarket account, Paypal, ticketing websites, your social media accounts (LinkedIn or Facebook, for example), your bigblu customer portal, that newspaper app that keeps you up-to-date, that dating site you once joined (Ashley Madison, anyone?). And that’s just off the top-of-my-head (but I try and keep quiet about the dating site).

One of the reasons our passwords are easy to hack is that our passwords are easy to hack

I know that having a strong and unique password for each of your online accounts feels daunting, cumbersome and perhaps even unnecessary. But as Tony Neate, CEO of the Government-backed organisation Get Safe Online, puts it: “Passwords are our first line of defence against cyber criminals online.”

In November 2015, conducted a survey that found that only 12% of us use different passwords for every account. So, we are far from alone in taking the easy way out, but easy in this case makes our data vulnerable and insecure.

Data breaches made easy
More recently, the Verizon Data Breach Investigations Report revealed that 81% of data breaches during 2017 involved compromised credentials. That figure has gone up from 66% in 2016 and 50% in 2017. Niall King, a director at the identity services specialists Centrify, said, “Cyber criminals find the path of least resistance to their target and today that path leads straight from users with self-managed ‘simple factor’ passwords.”

Simply speaking our passwords are getting easier to crack and inaction is making our data easier to hack. Data breaches have been making headlines across the world with increasing frequency, led by the Facebook-Cambridge Analytica scandal that saw the data of 87m users harvested for political purposes. In the last two years alone companies including Uber, Ticketmaster, Dixons Carphone, MyFitnessPal, MyHeritage, Typeform (whose clients included adidas and Fortnum and Mason’s) have all suffered significant security breaches.

Cracking the code
One of the reasons our passwords are easy to hack is that our passwords are easy to hack. SplashData, a provider of password management applications, annually review leaked password data with the aim of highlighting our lack of password sophistication (not to mention imagination). At No1 last year, unchanged from 2016, was ‘123456’. No2, also unchanged, was ‘password’, ‘letmein’ and ‘iloveyou’ were new entries at No7 and No10 respectively.

It was about at this stage of my research that I started channelling the puzzle-setting skills of Benedict Cumberbatch as Alan Turning in The Imitation Game, frantically scribbling digits and letters and twisting cogs and plugging and unplugging wires to make each of my passwords secure. Without going quite to the extremes of Professor Turing, here’s how you can begin to create the undecipherable…

Have you been pwned?
A good place to start is to head to HaveIBeenPwned? to check whether your regular email address has been caught up in a data breach. The site is a free service that aggregates data breaches and helps people establish if they’ve been impacted by malicious activity on the Internet.

Each time I enter my same old password to a new account, I do so with a gnawing sense that I am being watched

I checked mine for the first time this morning. It has been involved in five data breaches since 2012, including and LinkedIn. A “breach” being an incident where data has been unintentionally exposed to the public.

Before we go on, I want to emphasise that I am no techie, I’m digital coherent but by no means fluent. I have had the same password for all but one account for the last four years. Every time I open a new account (last night it was to buy theatre tickets) I use the same password. Each time I enter it with a gnawing sense that I am being watched. And yet the seeming avalanche of admin means I ignore that fear thinking that it won’t happen to me.

Well, it already has. Five times. The last of those in February of this year, when a massive collection of almost 3,000 alleged data breaches involving over 80 million unique email addresses was found online.

Manager of the fear
Here’s what I did next. I signed up to 1Password, the password manager site recommended by Troy Hunt, the Australian tech genius and Microsoft Director behind HaveIBeenPwned?. If it is good enough for Troy, it’s good enough for me. A password manager will create and remember a strong, unique password for every online account that you have, making your personal data more secure than it has ever been.

The multi-layered protection provided by password managers does not come for free but neither are they expensive. For online peace of mind, 1Password charges $2.99 per month (with the first month free).

Password managers will help choose a new random one and store it in a secure digital vault

We don’t have the space to go into them all now (that will be for another day) but there are plenty of great password managers out there that offer a range of options to suit every security need.

Mastering the memorable
After signing up and entering my card details for payment purposes, I had to choose a memorable but random master password. 1Password’s handy tips will guide you with this or generate one for you. This will then create a Secret Key that you can use in password emergencies, they recommend that you print it out and keep it with your passport, save it to a USB stick or copy it to your cloud storage.

Once set up all I needed to do was download the 1Password app for the devices I use and the 1Password browser extension. In my case that’s an iPhone, a MacBook (for personal use) and a Windows laptop (for work). Now, with 1Password’s help, I can either actively change the password on each of my accounts or, alternatively, every time I login to one of my online accounts with my generic hackable password, 1Password will help me choose a new random one and store it for me in my vault.

With that all done, now instead of needing to recall my random password, the 1Password icon will appear and, at the click of a button, allow me to select the new relevant random near-impossible-to-hack password.

All. Eggs. One. Basket.
I can already hear the question on your lips. I can hear it because it was the same question I asked myself. What if my password manager account gets hacked?

Well, it won’t come as much of a surprise to find out that password managers take security pretty seriously. It may not mean much to you, it didn’t to me until I asked bigblu’s head developer, but he assured me that the meaty ‘256-bit Advanced Encryption Standard’ encryption they use makes reading your data very difficult, even Turing would struggle.

If a password manager feels a bit too daunting at this stage, it’s definitely worth getting out some pencil and paper to scheme some new random but memorable passwords that cannot be easily guessed. The longer the better as adding a single character to a password boosts its security exponentially.

Old school coding
The Better Buys website investigated this matter and came up with a tool that can tell you how long it would take to crack your password. For example, if you have an extremely simple and common password that’s seven characters long (“abcdefg”), a pro hacker could crack it in a fraction of a millisecond. Add just one more character (“abcdefgh”) and that time increases to five hours. Nine-character passwords take five days to break, 10-character words take four months, and 11-character passwords take 10 years. Make it up to 12 characters, and you’re looking at 200 years’ worth of security – not bad for one little letter.

Password attackers have already factored in our predictable habits

Combining numbers and letters rather than sticking with one type of character dramatically enhances password security. However, it’s not as simple as swapping your “i” for a “1” or adding a number at the end. Password attackers have already factored in our predictable habits. If you’re going to go down the pencil and paper route, the best advice is to just make your password less predictable and more complicated.

Here’s some suggestions to get you scribbling:

  • start with three random words and include lower- and upper-case letters. To make it more secure, add in numbers and symbols (such as @ # $ % ^ & *) – and make it at least eight characters long; or
  • make up a memorable phrase or sentence, and take the first letter from each word to create a sequence; or
  • Pick a number of key words that mean something to you but aren’t obvious or guessable, pick a few key numbers (avoiding obvious dates like your anniversary) and then create passwords using a combination of both.

Once you’ve come up with your new passwords, then note them down in code, save them to a USB stick or save them to your cloud storage. Whatever you do save your data
from the risk of exposure.

Loose lips sink ships
And the last word on passwords: never tell anyone your password, especially someone claiming to work in tech support. Real technical support staff will never ask you for your password, because we don’t need your private information to help you.