Pragmatic Online Privacy – Passwords

Are you on Facebook? Do you Twitter? Perhaps Instagram is more your game? Do you shop with Amazon or order your groceries online?

If you have accounts with ANY online website, you have given away information about yourself to someone you don’t know, and you cannot take it back. Even if you close your account, your data might be in backups, potentially for years afterwards. This is assuming you can be confident it never went any further in the first place…

This post is aimed at educating, rather than scaring, anyone computer literate enough to be reading it.

What is privacy?

Privacy is more than simple “cyber security”. It’s not about basic things like not disclosing your password or credit card PIN. It’s about considering what information you’re giving away.

Be a bit skeptical. Ask yourself why this app needs access to your contacts, why this Facebook quiz needs to be able to read your status updates, why this email is asking you to follow/click a hyperlink to sign-in (hint: no legitimate online site will EVER do this, so you can assume it’s a phishing attack if it happens to you. If you’re still unsure, contact the organisation directly by phone or by doing your own Google search for their homepage).

I’m not suggesting we throw the baby out with the bathwater and all leave the internet entirely. Just that we take a few simple precautions to avoid being “hacked”.

What is “hacking”?

Hacking isn’t always a nerd in a hoody in front of 9 computer screens with heaps of data flowing past as they break into some bank or top-secret government computer system, like in the movies.

That’s hard to do, for one thing.

It’s much easier to go after the weak link in any security system – the humans. I’ll do another post on “phishing”, but it’s basically the process of convincing a human to give away something about themselves that you can use to attack them with.

Imagine a Facebook quiz that will tell you which movie star you are most like in exchange for your mother’s maiden name and the name of your favourite pet as a child. Then, think back to what your backup security questions at the bank might be. Then ask yourself whether you know or trust the person who made that quiz.

Usernames and Passwords

This post is the first in a series, so let’s get the basics out of the way. There are simple rules to follow when dealing with credentials:

At the very very least, please, I beg you, ensure your email, online banking and “password manager” passwords are unique.

If an attacker successfully “hacks” your account, they will immediately try those credentials on Amazon, all the banking websites, and all the email sites. Remember sometimes your username IS your email, which saves them time.

If they get into your email, they will change your password to prevent you intervening and set a computer program running that will go to all the other sites of value and try the “I forgot my password” option. This will send you them an email with the option to reset that password, which the attacker will make use of to lock you out of that account as well. Whatever that newly-compromised system is, chances are they know an order of magnitude more personal information about you, and can use that as further leverage on bigger, more “secure” targets.

Preferably, don’t even use the same password for more than one thing.

You might think it’s too many to keep track of, but recall the previous point where I described what they’ll do next once they get in. Is it worth the effort? I expect so.

There are tools (Dashlane, LastPass, 1Password) that can help with this. They can generate amazingly secure, unique, complex passwords for you, and even key them in for you when needed – even on your phone. Typically they are protected by a single “master” password. The rest of my advice here applies doubly so to that. However, these tools can cost money, so if you’re tight you don’t need the advanced features, you could use a password-protected note on your smartphone, for example.

Where you can’t use a password manager tool to manage and key-in wonderfully secure, unique passwords (often the case at work), then consider using the Correct Horse Battery Staple website to generate passwords that are easier to type in, and therefore “transfer” from your password manager app on your phone, to the system you’re signing into. Just remember that hackers take shortcuts, like trying all the words in the dictionary.

Don’t ever tell anyone your username and password for anything.

You might make arrangements in case “the worst” happens, so you don’t take your passwords with you, but generally speaking, never share your passwords with anyone, or share accounts. Most corporate IT policies make this mandatory, so think before you tell anyone “just use my account” that YOU ARE ACCOUNTABLE FOR ANY ACTION CARRIED OUT UNDER THAT ACCOUNT. Do you trust them that much?

Next time…

This post will become a series, with advice on considering your privacy in social media and on your smartphone. If you have any questions, please feel free to start a discussion in the comments section below. 🙂