It seems like every other week I’m reading about some sort of internet hacking incident.
My mom’s e-mail getting hacked.
A friend’s Facebook getting hacked.
A random person’s Twitter getting hacked.
My mom’s e-mail getting hacked… again.
Someone’s website getting hijacked.
A WordPress account getting hacked.
You get the picture.
At the end of the day, your blog and other online accounts are only as safe as you make them. So today I’m going to give you some pointers on how to be more secure!
Passwords are obviously the most important part of any online account! Let’s look at some examples of bad passwords:
- Your name/phone number/birthday/address/any piece of personal information
- Any dictionary word
A bad password is anything that can easily be guessed or brute forced. In order to understand bad passwords, let’s get into the mind of a hacker.
If a hacker wants to get into your account, the first thing they’re going to do is learn everything they can about you. They will Google your name and browse around until they’ve located all your social media sites. This might include Facebook, Twitter, YouTube, Google+, Pinterest, a random forum you posted on 3 years ago, etc. From these sites, they can usually accumulate data like your name, where you live, what school you went to, who your friends are, what your favourite colour is, and anything else you’ve posted online. And all those things are the first password combinations they will try. They will try your name, your dog’s name, your birthday, your favourite band, etc.
If that hasn’t worked, they’ll bring out the big guns: brute forcing. Did you know there are scripts out there that can repeatedly (and automatically) try to crack into your account? They basically get set up to automatically run and cycle through dictionaries, attempting word after word until they get yours right. This is why having dictionary words as passwords is very insecure!
So how do we get around this? We use complex passwords. There are two types of great passwords that hold up against brute forcing (and random password guessing):
- Random numbers, letters, and symbols. Here’s an example:
5aK7u$AJjOc3FZ5cfo*y#FF#6As*UbjBThe trick is to use a long password (at least 12+ characters – though I’d suggest longer like 18+ or 20+), and a combination of random numbers/letters/symbols. This makes it extremely difficult to brute force, since it’s so far from a dictionary word. Simply adding in the letters and symbols mean thousands of more possible combinations.
- Complex sentences that you wouldn’t be able to guess. Here’s an example:
Coffee makes my brain giggle, so I like peanuts!Yes, that’s a sentence, but think of it as a password. It’s long, it contains a mixture of letters and symbols, and it makes absolutely no sense. It does contain dictionary words, but since it contains such a long combination of them, it’s very tough to brute force! But if you choose to use sentences, be careful. Make sure the sentence is still complex and un-guessable. Don’t use something easy like “I love <husband’s name>”.
And one more thing regarding passwords: do not use the same password on every site! Ideally, you would use a different password on every single website. Why? Let’s say you use the same password everywhere. If someone figures out your Facebook password, then they now also have your password for everything else! E-mail, blog, banking, Twitter, Facebook, and everywhere else. The key thing here is to minimize the damage.
How do we remember these crazy passwords?
Luckily, there are many tools available that will help you remember your passwords! Two great tools are 1Password and LastPass. These are applications you can install on your computer (Mac/Windows, and even phones/tablets!). Your passwords are encrypted and stored. You set one ‘master’ password (which is used to decrypt the data), and once you enter it, you have access to all your stored passwords, so you don’t have to remember them all!
Some sites allow you to set up recovery questions and answers in case you forget your password. Well, what good is it having a strong password if your recovery questions are easy to guess? Let’s take a look at some common recovery questions and look at what’s wrong with them:
- What is your mother’s maiden name? — This is something you could easily find on Facebook. All they have to do is find your Facebook account, and from there they can probably find your mother’s Facebook account. If that doesn’t work, there are a lot of online listings of people that might contain that information.
- What is your father’s middle name? — Same as above. If your father is on Facebook, or if he’s listed on one of the many online people directories, this question is as good as answered!
- What was the first school you attended? — This can easily be found out on a résumé or online profile. Do you have a LinkedIn profile? Your first school is probably listed in the “Education” section.
- Where did you go on your honeymoon? — If this isn’t on Facebook, you’ve probably blogged, Tweeted, or posted about it. I can count multiple book bloggers who have posted about their weddings or honeymoons. That’s AWESOME and I love reading about it, but it means that it makes for a bad security question!
So what do we do to make them stronger?
The best thing to do is to use recovery questions as additional passwords. Just because the question is “What is your mother’s maiden name?” does not mean you have to answer it with the truth. Here’s what one of my security questions might look like (note: not actually real):
What was the first school you attended?
Well how the heck will I remember that??
The same way you will remember your passwords: by using 1Password or LastPass. These tools have sections where you can write encrypted notes. These are excellent places for logging down recovery questions and answers! I usually write down the question and the answer so I know which answer goes with which question.
Just remember: you can have a really strong and secure password, but it’s meaningless if your answers to the recovery questions are easy to guess.