Digital security is a huge topic these days. Sony, HomeDepot, Target, Bank of America, NSA, the FBI, the White House... all hacked within the last couple years. Mainstream media will cover such attacks and follow-up with general recommendations to help you ensure that your digital presence is properly secured. However, most of what's written is incomplete, not entirely accurate or down-right wrong. As a digital agency, serving enterprise level clients, the most surprising thing is how frequently this type of information is disseminated as reliable.
Here's a quick example of information presented by a variety of otherwise well trusted and reliable technology sources...
The presentation centers around password selection and this is one of their examples:
An Okay password = kitty
A Better password = 1Kitty
An Excellent password = 1Ki77y
The problem here is that none of the above passwords are even slightly good. Why? Because they are short. And brute force attacks (where a computer or array of computers guesses passwords in automation) can crack all of the above in minutes. So even the most amateur of hackers (if incentivized) can and will access your accounts with ease. The common myth presented when choosing a good password is that randomness counts. The shocking truth is... It almost never does. At least not by itself. Yes, 1Ki77y is better than kitty as a password, but only slightly. It would take a standard attack configuration only 0.577 seconds to guess the "excellent" 1Ki77y password. While it'd take the same configuration 0.000124 seconds to guess the "okay" kitty password. Not a huge difference if you're trying to protect your bank accounts. And that difference will continue to diminish as hackers gain access to more powerful cracking arrays and better automation.
What you'll almost never hear is that a password like "ilikestoresandcarrots" is more often than not a great deal more secure than 1Ki77y and if you add a number, a capital letter and a symbol to the mix like "ilikest0Resandcarrots#" then you have an easy to remember password that would take the same cracking array roughly 1.04 hundred billion trillion centuries to guess. That's assuming that no one is targeting you specifically and that you haven't chosen anything that's personal to you. As an example, if you were to choose your social security number, mathematically it's an incredibly strong choice. However, most US citizens have their SSNs available on the dark web for purchase. So if someone targets you, "Jane Doe" then they can crack that in an instant using a dictionary attack with your personal details included.
So what does this mean to the average person with a digital life? Here are a few rules to keep in mind when selecting passwords that protect financial or otherwise sensitive information:
- Don't EVER Re-use a Password -- Yes, it's easier to remember, but if someone hacks Home Depot which may have horrible security and you've used the same "This1Smypwassword" password for that, which you did for your 401K account, then guess what... the hackers now have access to both. And even though Chase Bank might have great security, they can't determine that someone (who isn't you) is accessing your account when they have the correct login. Chase may be secure and safe from hacks (doubtful) but Home Depot, Target and your local restaurant with online purchasing are not. Security compromising is about gaining access to the weak-point and expanding from there. Don't let hackers do this to you.
- With Passwords, Length Matters -- A random selection of 10 characters is not nearly as secure as a 20 character sentence in all lower-case. Keep in mind that if someone is trying to run a program that guesses your password (brute-force) they have to guess every possible combination. Each character in your password represents a possible 26 letters lowercase, 26 more uppercase, 10 numbers (including 0) and a lot of symbols (depending on your language). So every character in your password means a computer will have to match every combination of all those with every combination of every other character. If your password is 20 characters, you have 26 upper, 26 lower, 10 number and however many symbols times 20 times the number of possible combinations of every possibility. The math grows exponentially and it grows fast. Generally hackers run bots (programs) to find easy guesses. If yours is even slightly difficult it'll be passed over. Make sure it is.
- No Personal Information -- Yes, I know it's easy to remember your name followed by your birth year. But hackers pull public data into their attacks. If you're John Smith, born Dec, 6th 1970 then that data can be pulled into an automated attack. And if your password is John61970Smith then it's phenomenally easy for an automated attack to find that. Even without targeting you. And it gets easier all the time with massive database hacks and more powerful programs. Instead of using any information about your family, friends or yourself, find a random book, pick a page and use the first sentence as a starting point for your password. "ItW4sthebestoftimesItwasTheWorstOfTimes" is a phenomenal choice. Well, it would be if it weren't so well known, but you get the gist.
- Security Questions... Lie! -- Sadly, many banks and financial institutions present us with "security questions" -- These are questions that only we are supposed to know, which allow us to reset our passwords and/or access an otherwise locked account. Here's the problem... the answers to most of these questions are relatively easy to find on public record. Remember the celebrity "hacks" of iPhones a couple years ago? Those weren't hacks at all. Each of those public figures answered those questions for their account honestly... What's your pet's name?... Jasmine. When did you graduate high-school?... 1999. What's your mother's maiden name?... Smith. All of this information is easily collectible if someone wants to find it. The solution? Answer these questions, but answer them with bogus information. "What high school did you graduate?... TheMoonLanding" -- and so on. Of course you have to store your incorrect answers and treat them like mini-passwords, but ultimately it means that ONLY YOU know the real answers and not someone who researches you online.
- Two Factor Authentication -- Even with excellent, long, random passwords, a site or service will eventually be hacked. Thus exposing you to attack. Any chance you get, set up 2-factor-authentication. This basically means that any login to the system/service requires that you verify it with a code sent to your cell phone. Unless you're the president of the US, no one is going to go through the trouble of trying to compromise something like that. It's astoundingly difficult.
There are other tactics and tools I'd recommend for creating a fully secure enclave in protecting your digital life, but for now these are the basics. If you follow everything I've listed above and update your current (and most sensitive) accounts using these recommendations then you'll be more secure than 99.999% of people in the world. There's no guarantee of absolute security, but unless you're specifically targeted, you'll remain protected from the vast (vast) majority of attacks. And that's the ultimate goal.
At Stellar, we want to encourage and foster best practices in security, reliability and efficiency. We hope this post helps guide you towards that goal. Please share this with as many of your friends and family members as you can and if you have any questions or comments on the above, don't hesitate to reach out to our team firstname.lastname@example.org. We're eager to help.
All the best!