In 2017 the newest Gorillaz music album was ‘leaked’ pre-release because the technician responsible for uploading song videos to Vimeo used a laughably simple password.
You probably snickered at the fact somebody thought ‘2017’ was a good password but I will share a piece of intel with you that had me injure my neck after all the head shaking I did: 90% of people I worked with and gained access to their password lists for work-related reasons used the same password for at least three of their social media profiles.
What’s more, the passwords were ridiculously unimaginative and simple to guess. I am not trying to offend anybody, but serving your password on a silver plate like that is just sloppy. It really takes one dedicated person with plenty of time to spare to research enough data on the business and start trying to match potential queries to crack the code.
Today on the World Password Day I want to share with you a simple hack for creating strong passwords, that will make your life easier and your online channels secure. I learnt about it two years ago from Dr Daniel J. Levitin’s book titled ‘The Organized Mind: Thinking Straight in the Age of Information Overload‘. Dr Levitin correctly states that our heads are no places to store elaborate lists of passwords, hence many people decide to reuse their tried and tested codes for more than one account. With his creative method, I stopped worrying about creating new passwords and went on about my online business without worrying.
Why you should NEVER use the same password twice
The most important argument against password recycling is vulnerability. By using the same password on more than one platform, you are gradually weakening the security of your online presence. Imagine if one of the websites with poor security protocols was breached and your data, including password, stolen. The thief will match your details, search for your other accounts and attempt to break in with the same password.
You probably think that the website would notify you of the danger of having your data floating online in order for you to change the password before the damage is done. Think again. There are many reasons why we only read about the big security breaches of companies such as Adobe or Dropbox years after the incident. I am going to sound incredibly paranoid but don’t trust anybody with your data.
The best method for creating strong passwords
The method by Dr Levitin is extremely simple.
Step 1: Think of a strong sentence between 8-10 characters long. This will be your master password, the base for all other password combinations.
- Make it unique. I will never get tired of saying this but ‘unique’ does not mean a combination of your name and surname or a street address you lived at when you were a child. It means something that makes sense only to you. Password entropy, which is a measurement of how unique a password is, remains the key to creating a strong password.
- Select a base password with a minimum length of 13 characters, which is the length experts now recommend to avoid being compromised by brute-force cracking (Source).
- Oh, and don’t use a dictionary to create a strong password – there are dictionary-based hacking tools in use.
For the purpose of this article, I will use ‘Imothereddragons’
Step 2: Make the sentence more complex with special characters. Create custom code for certain characters, which you can later apply to the second part of your passwords. For example, replace all i’s with ‘6’, all o’s with % and all d’s with #. The more random characters, the better! 1 and 2 are the most popular numbers added to passwords. You have eight more digits to play with, use them.
My master password will look like this: 6m%there##rag%ns
Step 3: Every time you create a new password, add a unique piece of characters to your master password associated to each new platform you sign up to. I like to simply add the name of the platform laced with special characters.
Had I been using my 6m%there##rag%ns master password and just happened to register to Twitter, I would create the following:
The beauty of this method is, while you should never ever save the master password anywhere, the second part of your password can be saved in a spreadsheet – on its own it won’t help anybody decipher your password should they ever peek at your list.
How to protect your passwords further
Creating secure and difficult to guess passwords is about 80% of the effort. To keep the security in check, make sure you follow these tips:
Use two-step verification whenever possible. I know it’s annoying but the more obstacles you put in the way of somebody dead set on breaking into your accounts, the better.I am constantly listening to online security podcasts and a new threat is making rounds – SIM hijacking or sim swapping, which makes two-step authentification less secure. It means that if hackers find out your mobile phone number and correctly deduce, which accounts it’s connected to, they are able to capture your phone number together with verification texts and log into your accounts. I recommend you listen to Reply All’s ‘Snapchat Thief’ podcast episode, which explains steps to securingyour accounts.
- Forget about logging into different services via Facebook or Google. Recent developments clearly showed how insecure social media are. Not to mention that once people start choosing convenience, they tend to consolidate all of their personal information on one account.
- Suspect you clicked on a weird link? Change your password immediately and report the breach.
- Sharing a software with other people? Add unique users instead of sharing the same password, preferably with a lower level of authority than yours. You don’t want anybody to tinker with your access either.
- Don’t give your password to anybody else – especially not in writing, via Facebook Messenger or SMS. You can’t control what the other person does with your personal data and you can’t control who else can access their phone.
- Don’t save your list of passwords in a Word Doc or Excel on your computer’s desktop. And for God’s sake, don’t name your list ‘Password’ or ‘Access codes’. Choose tools such as Evernote or Google Drive, use the method by Dr Levitin to save only parts of your passwords (never ever write down the master password!), make sure the file is buried and titled with an inconspicuous name.
Protecting your online accounts with your sensitive data (or your customers’ data) should be of the highest importance to anybody using the internet. The repercussions of an identity theft are harsh, not to mention the loss of trust if the victim happens to be a brand. As much as some things can be reversed after a security breach, the trust of your customers is difficult to get back. Get smart about being online or regret it later.