We are in 2017, and I am still amazed (negatively) at how people are dealing with their passwords !
I don't know if people realize, that if a single site is hacked, and their login information leaked, then hackers will immediately try this at bank sites, PayPal, eBay, Amazon, etc… and drain their bank account in a matter of minutes. And if they don't steal your money, they can use your login information for all kind of purposes which can dramatically affect you. I am talking of identity thieft for example. Or subscribing things under your name, because by accessing your accounts,they can get all kind of information, such as your name, address, phone number, date of birth, etc...
So I think we'll never repeat it enough, pay attention to your login information and again more to your passwords. Here are some tips, which I think is not a waste of time to repeat over and over again.
DON'T USE THE SAME PASSWORD EVERYWHERE:
I know this is convenient, and easy, but it's definitively a no-no. As I said above, imagine, one of the sites you are using gets hacked, and your password is discovered. This would compromise all your accounts everywhere. It would just take one weak site, to grant access to all your accounts. So think about it and choose different passwords for each of your accounts.
To remain convenient, you can keep the same password basis, and just add a few particular characters at the end for each site. Just for example, for your Gmail account, you can add "gma", for your Amazon one, "amz", or thing like that. Now, these examples are a bit too obvious, and might not be safe, I gave them just to give you the general idea.
USE PASSWORDS COMPLEX ENOUGH
Avoid using common words. Better yet, is to not use existing words at all. Ideally, this should be a randomly selected mix of characters, letters, and symbols. I know it would make them virtually impossible to remember by heart. So in between, you can try to find a mix of words that you can remember, and mix them with numbers and symbols, and also add uppercase in the middle of words.
But avoid passwords such as "password" or "0123456789" ! You may be thinking they are too obvious, and that hackers will never think about them, but hackers don't have to think, they use software which is trying all combinations of common passwords automatically.
VERIFY THAT THE REGISTRATION / LOGIN PAGE IS SECURED:
When you register at a site, verify that you see the "https" in front of the page URL. Additionally browsers are adding a pad lock, or a "secure" text to get your attention.
It does not mean that the site can't be hacked, but it means that, at least, the information transmitted between your browser and the server hosting the site can't be intercepted by hackers on the fly ("man in the middle attack"😉. Indeed, between your computer/phone and the site, there are a series of routers and devices, by which the data is transiting. If one of these elements is compromised by hackers, they can intercept this data. The same is very true also with all wireless connection, such as WiFi.
CHECK HOW THE SITE IS DEALING WITH YOUR PASSWORD
If the site send you an email with your password after your registration, this is not good. An e-mail can be very easily intercepted and read.
If the password recovery function of the site proposes to send you back your password by e-mail, this is VERY BAD. Why? Because if a site is able to send you back your password, it means that it stores it in a plain text in its database. It means that the day hackers succeed to access the database, they get all the passwords without any efforts at all! They are just written clearly.
Now, you are not the only one guilty if passwords are leaked. Web sites also share their responsibilities. Of course, ultimately this is the fault of hackers, but Web sites are often not picky enough when it comes to securing the data of their registered members.
A web site should NEVER store passwords in plain text! All sites should use a "hash" of the passwords. What does it mean? It means that instead of storing the password itself, the site stores some kind of "digital finger print" of the password. (someone will correct me if I am not using the right words). This is a one-way encryption of the password, meaning that, from this hash you can't retrieve the original password. More precisely, you can, but it would take years and years of computing to find the reversal of this encryption.
BE CAREFUL OF YOUR BROWSER PASSWORD MANAGER
In all modern browsers, when you log in for the first time to a site, they propose to remember your login and password. This is very convenient, because the next times, you don't have to type it all again. The problem is that, if someone else uses your computer, he'll be able to log to your accounts. Same if your computer is stolen. So this is a feature we don't care to use.
I hope all of this will be useful, and do not hesitate to contribute,
May 06, 2017
Great article, John! Thank you for posting it.🙂
by: Miss B.
May 08, 2017
You are welcome!
May 13, 2017
Thank you John G., this is a great post.
To complete it, I would like to mention the site
"Have I been pwned?" developped by Troy Hunt :
A free resource for anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised or "pwned" in a data breach.
by: Urban Legend
May 19, 2017
Thank you for the tips, and also for the link.
I've just tested for my e-mail address and discovered that my information had been compromised! I had no idea at all! In my case, it seems that Adobe had been hacked years agp. I've never heard about it!
May 23, 2017
There are all kinds of App which are proposing to manage your login information. Like that , you don' t have to remember / note them somewhere. You install the App, you set your login information for each site / service, once, and then the App logs you automatically.
What do you think of it? Is it safer? Or is it worse? I always thought that if all my passwords were managed by a single app, then the day this app is hacked, all my information will be in the wild at once. Am I paranoiac?
May 25, 2017
About passwords manager solutions.
I agree with the idea of using different passwords at different sites, or services. However, then it becomes difficult to remember them all, especially since, often, you are asked to choose a "long" password, mixing upper and lower case letters, as well as digits, punctuation signs, etc,... it ends with passwords which are hard to remember for a human. Which in a way, is the goal. To have a password hard to guess. This is why password manager solutions can be good. But, may be NOT !
The worse is when you use online password manager services. This is very convenient, but, like for any kind of centralized service, (like cloud hosting), the day the service is hacked, this is a lot of people who can have their passwords compromised.
I just came upon this article from ZDnet.
Password manager OneLogin hacked, exposing sensitive customer data
June 02, 2017
What is insane is that, for the purpose for "enhancing" security, web sites keep asking more and more personal information. At first, all you needed was a username, and a password, then an email, now, most web sites ask for a cellphone number, and require you to use a real name, instead of a nickname. Yes, in theory it improves security, and limit the risk of unauthorized access, but the side effect is that, in case of data breach, hackers have a lot more information on you 🙂 And, i don't have to mention that there are more and more data beach.
January 01, 2019