Passwords - Protection Strategies and Design
The logic of building strong passwords is something most of us understand. The stronger your password, the tougher it is for someone else to access your application and the information you are trying to protect. Yet, even though we know this, we often ignore this "Best Practice" when we are actually setting up passwords for the applications we desire to access online.
Why do we do this? Convenience mostly. Plus, I think the internal mental belief that there are so many millions of people out there online, what are the odds that I'll be the one to get hacked? This is, if we are even thinking about potentially getting hacked at all as we set up these passwords. Many people setup passwords just because the application we are trying to access tells us that we have to have one.
But have you noticed something in recent times as you access your applications online? Corporations with the applications you access out there are now often asking you to:
Periodically change your password. They are asking you to provide additional answers to questions that they can ask you as a secondary identification verification step.
They ask you once in a while if your e-mail address is still correct, what is your phone number, etc.
Sometimes, you have to enter random sets of characters that they show you on a login screen in a box that you have to get right in order to login to the application.
They are forcing you to create longer and stronger passwords with special characters and/or capitalized characters in them to make it more difficult for others to hack into your system.
If you are trying to access your information from somewhere else other than your own home, sometimes messages pop up asking you additional questions to help authenticate you. How do they know you are away from home? Because their internal systems when you login also capture your IP address (denoting your location) and they match this to what they have associated with your password for when you usually login - so they know when you are away.
They are even capturing your device information - so if you are logging in from a different computer, they can tell that as well.
Why are they doing this? They are trying to make their applications and your information within them, as secure as possible. They are worried about getting hacked. And you should be too.
A core reason for this, is tied into the thought I expressed at the beginning of this lecture that: "... that there are so many millions of people out there online, what are the odds that I'll be the one to get hacked?" This is a mistaken belief of your own security and I'll tell you why.
When a hacker targets you, this is not a one on one personal event. Hacking begins with more general information gathering by the hacker. And he or she is gleaning lots of information about many people accessing many systems and the hacker is using personally created "Search" applications to find out things about people accessing applications on the Internet - these programs, depending on what they do are called things such as "bots" or "robots" or "spiders", etc.
At the same time that these programs are gathering information on the Internet and then dumping the findings into databases controlled by the hacker, the hacker is looking at applications he or she wants to get into out there, looking for weaker applications security-wise that have vulnerabilities that can be exploited.
So when vulnerabilities are found, the hacker writes additional access code to exploit these vulnerabilities and then coupling this with the data gathered by his or her earlier data gathering efforts, a "Hack" is performed on a target application and more than one person can be affected by a single "Hack". In fact, sometimes hundreds and even thousands of people can be exploited virtually simultaneously. So Hacking is not just a one on one thing. These days, if something happens to one person, it is probably also happening to many other people - and possibly you are included in the hack as well.
These Hacks take time to build but they are sophisticated. And the computers used by many of us are very often quite vulnerable.
Following are some things you can do password-wise to help protect yourself and your data online.
Build strong passwords and use them on the applications you access online. A strong password is usually longer than 8 characters, it will contain both upper and lower case alphabetical letters and will have at least one special character in it - such as: @, #, $, %, etc.
The password should be in many respects, random and it should not contain information in it that can be easily tied to you - such as part of your name, your address, your children's names, pet names, etc.
Where you can online, enable the "double authentication" features on applications that let you do so, especially when accessing important to you sites such as financial sites or any sites where you have left your credit card information.
Use different passwords for different applications. Try to avoid using the same password across different applications.
Minimize or don't use the "Remember My Password" and "auto-fill-in" features on your computer. These often get stored in your cookies which can be hijacked by a good hacker.
Change your passwords online regularly, particularly for your important or financial sites.
On social media sites such as "Facebook", etc., be careful about what information you put out there. Some hackers troll these sites looking for personal information that you might be using as part of your passwords elsewhere, such as children's names, etc. If you are using strong passwords online this is not such a critical thing, but be aware that this does go on. If you are still using passwords that contain within them words you are also using on your social media sites, these can be used to hack you.
Don't use sites that offer to test your planned passwords to see if they are strong or not. Some of these sites may be legitimately offering this service, but be aware and don't do it. Every site you go to can record your outbound IP address and if you are testing passwords for strength on a third party site, they can record both your IP address to find you in the future and you are giving them the passwords you are thinking of using - not a good idea.
In summary, I recommend that you take a look at all the sites you access online today and review the passwords you are using on them. Become strategic about this. Ask your self questions at each site like:
That's all for now.
