Keep Your Private Data Private – Good Password Practices Part 2

This is the third post in a series of posts on keeping your private data private.  It was inspired by the Jennifer Lawrence (et al) nude photo scandal, and then encouraged by the “gmail hack,” which wasn’t really a gmail hack — which was published literally while i was working on this post.  Previous posts talked about two-factor authentication and preventing hackers from guessing your password.

As I said in the last post, password best practices boil down to three things: preventing hackers from guessing your password, preventing them from stealing it in plain text, and limiting the damage if they do either one.  This blog post is about protecting yourself form the second two.  To read about protecting against the first one, read my previous blog post.

Note: if at any point in this article, you find yourself saying “give me a break” or your eyes start rolling into the back of your head due to boredom, just skip to the next blog post where I talk about password managers.

Limiting the damage if hackers steal your password 

You should assume that any given password may eventually get compromised.  Therefore, you do not want to use the same password on every system. It’s one thing to have your gmail.com account password in the hands of bad guys.  But if that same username and password are used on your amazon.com site?  You’ll be buying $500 espresso machines for all your best friends in the Czech Republic before you can say Carlovy Vary.

Now I’ve gone and made it impossible, right?  I want you to use a hard-to-guess password, I don’t want you to write it down, and I want you to use a different one on every system.

One thing that people do that is to combine the password mentioned above with a 2-3 letter code for each site.  Prepend, append, or (better yet) split your password with this code.  So take the “base” password above and make it one of these for Facebook:

FbStephen12p$4#oS
FStephen12p$4#oSb
FBStephen12p$4#oS
Stephenfb12p$4#oS

Then you do the same thing for your other accounts that you have.  This has the benefit of giving you a unique password for every site that’s relatively easy to remember, and it makes it harder to guess.  Adding those two characters increases the entropy of the password as well.

Another thing that people do is to have classes of passwords.  They use really secure and separate passwords for sites where money is involved (e.g. bank, Amazon.com, any site that stores your credit card), another set of passwords for sites with sensitive personal information (e.g. facebook, gmail, dropbox), and then a “junk” password they use at places where you wouldn’t care if it got hacked (e.g. The website that stores your recipes).

Preventing them from stealing your password in plain text

This blog post says that half of all internet sites store your passwords in plain text. For example, but it was revealed only a few years ago that LinkedIn was storing passwords in plain text.  You’d think they’d know better.  There’s literally nothing you can do to protect against that.  No matter how good your password is; if they steal the password file and your password is in plain text — you’re toast.  Well, shame on them.  

What you can do, though, is to avoid installing software that would steal your passwords as you type them by watching your keystrokes. Don’t click on emails you don’t recognize.  Don’t click on emails from places you do recognize!  If Bank of America sends you an email, open BOA’s website on your own and log in.  Don’t click on the link in the email.  If you do, at the very least you’re letting a spammer know you’re a real person.  Possibly it’ll be a really normal looking website that is nothing but a dummy site made to look like BOA and designed to steal your password as you type it in.

Also, no bank should ever call you and ask you for personally identifiable information, either.  They should not be calling asking for passwords, your SSN, or anything like that.  Unfortunately, some actual banks do this.  The bank I belong to will call me about some fraud, and then ask me to verify my identity by giving them my account number or SSN or something.  I refuse to give them that information and then I call back the actual number of the bank and talk to the fraud department.  In my case, it really is the bank just doing stupid stuff.  But it could be someone just trying to steal your passwords. But I believe it’s a really bad idea for banks to teach people that someone might call them and ask them for such information.

And if you get a phone call from “computer support” claiming you’ve got a virus and they need to login to your computer to fix it, again… hang up!  Tell them they’re full of crap and they are a worthless excuse for a human being.  In fact, feel free to unload the worst things you’ve ever wanted to say to a human being to them.  It’ll be cathartic, and it’s not like they can complain to anyone.

This practice of trying to get you to give up your password or other personal info is referred to as social engineering.  If you want to see how it works, watch a great movie called Sneakers, or a not-as-great movie called Trackdown.  Both are available on Netflix On-Demand, and they both show you exactly the kinds of things hackers do to get people to reveal their personal information.  Sneakers is the better movie, but Trackdown is actually more technically correct.  It’s loosely based on the story of Kevin Mitnick, considered one of the greatest hackers of all time.  (In real life, Kevin Mitnick now does what Robert Redford’s character does in Sneakers.)

Use a Password Manager

This is becoming my default recommendation. Use a password manager to create random passwords for you, remember them, and enter them for you.

I’m talking about products like 1passwordlastpass, and Dashlane.  Instead of having to create and remember dozens of different passwords, you can just have them create and store your passwords for you.  I have been trying out Dashlane and like it quite a bit.  Some of them also support two-factor authentication, something I talked about in my last post.

The first thing Dashlane did was to import all of the passwords stored in my browser.  It turns out there were 150+ of them!  If I did nothing else, it would allow me to turn off the “remember password” feature on my browser.  (It’s a really bad feature because if someone gets your laptop, they have the ability to automatically login as you to your most important sites, and your browser’s history will take them right to those sites.)  

The second thing Dashlane did was to run a security audit on all my passwords.  Like many people, I failed the audit.  But then they walked me through exactly what I needed to do to make things all better.  They also synchronized my passwords to my iPad and Android phones. 

The software will remember your passwords and automatically log you in — but not before requiring you to login to the password manager (usually once per session). That way if someone stole your laptop, they wouldn’t be able to use the password manager to gain access to anything — assuming you didn’t put your master password on a sticky on your laptop, of course. 😉  They also allow you to specify that a particular site requires an entry of the master password every single time you use it, not just once per session. Pretty impressive stuff.

They unfortunately don’t yet support logging into apps on iOS/Android, but it can sync your passwords to those devices.  That way if you forget a given password, it can either display it to you or copy it into the buffer so you can paste it into the app.  I’ve been pretty impressed with Dashlane.

Summary

•    Don’t use easy to guess passwords

•    Don’t use the same password everywhere

•    Don’t open stupid stuff that’s designed to steal your data

•    Consider using a password manager

I hope this post helps and hasn’t been too overwhelming.

 


Written by W. Curtis Preston (@wcpreston), four-time O'Reilly author, and host of The Backup Wrap-up podcast. I am now the Technology Evangelist at Sullivan Strickler, which helps companies manage their legacy data

2 comments
  • huh, in any case the best way to steal something is to ask a person to give it to you. Social engineering how they call it. Fraud, deceive — all this work unfortunately. Maybe these sophisticated practices just help that as a man thinks that he’s protected which is in fact it is, and he’s relaxed and so on.