I don’t remember my passwords. I get anxious when a website asks for it.
Sometimes I just want to see pictures of party decorations, but the site asks for both my account and my password. I don’t know either so I just go back to the other search results. Why do I need security just to look at photos of elaborate decor?
Then there’s the pain of the PIN, the personal identification number. I feel like a thief when I try to enter my PIN at the ATM because I’m not sure if it’s the right one. What’s more ridiculous, my bank wants me to enter my PIN when I deposit money. I’m giving them my money and they want to make sure it’s me? Who cares where the money comes from?
PINs and passwords (PW) were created to secure an account and ensure that I am the person I claim to be. It tries to prevent others from impersonating me and gaining access to my information, especially my credit card.
Fine. But if I just want to read an article online, why do I need an account and password? I don’t have a card on file. The only data they can use is that I read the news and non-fiction. Why would anyone want to pretend to be mundane me?
Since passwords are so commonly required, it’s hard to keep track of all of them. So for simplicity, a lot of us just use the same PW for all accounts.
Worse, we don’t even try to create a personal PW, we just use the easiest things to remember.
“I find that many people, even executives at large corporations, are lazy when it comes to passwords,” writes world hacker Kevin Mitnick in The Art of Invisibility (2017).
“Consider that the CEO of Sony Entertainment, Michael Lynton, used “sonyml3” as his domain account password. It’s no wonder his e-mails were hacked and spread across the Internet since the attackers had administrative access to most everything within the company,” writes Mitnick.
From 11 million online passwords, the most common are: “123456,” “12345,” “password,” “DEFAULT,” “123456789,” “qwerty,” “12345678,” “abc123,” and “1234567.” (Mitnick)
“If you see one of your own passwords here, chances are you are vulnerable to a data breach, as these common terms are included in most password-cracking tool kits available online,” writes Mitnick.
Mitnick says to check www.haveibeenpwned.com “to see if your account has been compromised in the past.”
You might think you’re safe if your PW was not included in the lazy list above. You might also believe that your birthday is the best password because you will always remember it and hardly anyone knows it.
If you have a social media account, you very likely gave your birthday to verify that you are the qualified age to set up the account. This data is now public and easily accessible.
So what do we do now?
Create a strong password
Just like house burglars, hackers look for easy unsecured targets that will allow them to steal your password in the least amount of time and effort.
“The simplest and most common passwords are easily cracked first, then more complex passwords are cracked over time,” writes Mitnick.
So the point is to discourage hacker attempts by making it more difficult to guess your password. Hopefully, hackers will move on to easier passwords that are faster to crack.
- Use 20-25 characters - Yes, it’s too long to remember. I even forget my four-digit PIN. But there are ways to aid recall.
It’s best if the characters are random with letters, numbers, and characters. Use password managers “like Password Safe and KeePass that only store data locally on your computer,” writes Mitnick.
Password managers generate new and random passwords for each site you visit. Then you access all your passwords with just one master key or PW.
But if a malware infects your computer and your keystrokes are recorded, your master password and all other passwords can be stolen.
- Use phrases instead of passwords - If you’re like me and you struggle to remember your PIN’s four digits, I suggest you use the title or lyrics of your favorite song or movie. That will easily fill 25 characters and it’s easy to remember: “Moneymoneymoney!”
- Never use the same password for two different accounts so even if one password is breached for one site, your other accounts will not be automatically accessible.
- Write down your password - Good old pen and paper is still the most secure form for secrets. They’re not hackable nor public and they are easy to hide. Just keep it cryptic, coded, and incomplete.
Instead of writing “Metropolitan Bank:moneyintherichmansworld*” you should make a code to refer to your bank and omit some PW characters: “stash:money__“.
Then, if someone finds your PW list, it will confuse or at least complicate the guessing of your passwords. Hopefully, hackers will be discouraged and move on to easier targets. At the least, it will delay their efforts.
- Never share your password, especially over social media or devices like phone messages, anywhere that leaves a digital trace or record.
No matter how much you trust your loved one, relationships can sour or end. Also, sometimes leaks are inadvertent or your PW can be stolen from the people you trust. It’s best to avoid any disclosure about your PW.
- Give unusual answers to your security questions
Now despite our best efforts, we can still forget our password. We can retrieve them after we answer common security questions like: date of birth, school attended, mother’s maiden name, pet’s name, or where you met your spouse. These questions have been used since about 1882.
Again, the answers to these questions are easily gained from your social media accounts like Facebook and LinkedIn, or indirectly from your contacts or associates.
Armed with retrievable answers to security questions, hackers can reset your e-mail and other accounts without your knowledge.
What can we do to avoid this? Mitnick provides creative solutions.
First, give your own creative answers or invent one. Just be sure to write down your question and answer for a each site. For example, “Where were you born?” you can write “in the hospital” or for “What is your mother’s maiden name?” you can write “maiden name”.
We assume that we need to give correct or real answers, but with the high possibility of breach, we need to be more creative, vague, or misleading.
Second, if available, choose unusual security questions like “What was your first car?” then give your own answer like “Herbie.”
Third, choose fake questions with fake answers like “What is your pet’s name?” but you don’t have a pet, so you can invent an answer like “Cujo.”
Secure your mobile devices: phones, pads, laptops, desktops
In the office, password-protect your desktop and screen saver to avoid unauthorized access or unwanted leaks when you are away from your desk.
It is very important to put a password on all your mobile devices since these can easily be lost or stolen.
Create a passcode for your phone of at least seven characters, numbers, text, or both like “24karat$” to at least delay access.
Two-factor authentication or 2FA
“When attempting to authenticate a user, sites or applications look for at least two of three things,” writes Mitnick.
- Something you have [credit card strip or chip]
- Something you know [PW, PIN, security question]
- Something you are [biometrics like fingerprint, retina, face]
“The more of these you have, the surer you can be that the user is who she says she is.”
So the two-factor authentication or 2FA is used. When we use the ATM, we show what we have by putting the ATM card with the strip and we show what we know by using our PIN.
Financial websites use 2FA when you give something you know, a PW, and something you have, your cell phone. Google does the same. So even if your PW is compromised, they still need your cell phone to access your account.
This is not foolproof but it deters by delay.
Mitnick advises that we use a separate device dedicated solely for financial transactions, like an iPad. We only use this to pay bills, purchase, or check our bank accounts. We cannot use this to search other sites to avoid malware. Neither can we install apps unless it is first registered with a Gmail account.
Using a dedicated device for money is troublesome but it offers a higher degree of protection from online predators.
Basic security requires strong passwords or PINS, 2FA, a firewall, and antivirus. But even these measures can be thwarted if we divulge too much information online. We need to be more secretive about our personal data because it is inherently linked with our digital accounts and devices.
So what’s your password? Secret….
Ivy Digest serves the busy reader and extracts relevant data from worthwhile publications to incite ideas and inform decisions.
Author Ivy Lopez is a lawyer and journalist who studied in De La Salle, the Ateneo University, and the Wharton School of the University of Pennsylvania.