Security is important on the internet. With the rise of social media and online banking, our lives are becoming increasingly intwined with the online world. Picking the wrong password could lead to your devices getting remotely wiped, social media pages hacked, money stolen, and files lost. Just as you may put a secure lock on your front door, you should also consider making your online life secure as well. This post talks about a few simple steps that anyone can take to make their online experience safer, and probably easier too. Let’s get started.
Choose a secure password
No matter what you do, you will need to memorize a password. Sites everywhere require them, and even though we’re going to talk about a few options to store your dozens of passwords somewhere safe instead of having to remember them all, you’ll still need a password to log in to your computer at work, or to retrieve your other passwords. More on that later, but first let’s talk about how to make a secure password.
This method of putting a password together was most famously popularized by the web comic XKCD. I am going to break it down simply, but here is a copy of the web comic if you are curious.
Above all else, you want to have a password that is long and hard to guess. Longer passwords can’t be cracked by computers, and hard to guess passwords can’t be figured out by your cyber-stalker.
Examples of bad passwords:
- may the force be with you
The first is easy to guess, because it’s the name of a person and someone’s birthday. It’s also short, which makes it easy for a computer to guess it to, if it just tries all of the possibilities. The second is a bit better; it is completely random, but still short. A computer can crack it eventually. The third is long, but it’s a movie quote. If you are a big-time star wars fan, someone might actually try this password. It’s a bad idea to use something that obvious, even if it’s long.
My recommendation is to pick a password that is:
- A short sentences (about five words long)
- Invokes an easy to remember image
- Is difficult to guess
- Includes a random number and symbol at the end that you remember.
To come up with a good, unique password, first think of something absurd that only you would think of. Something visual. Something easy to remember. Here are a few things that come to my mind:
- al capone plants daffodils
- dragons like french soup
- snape fights a balrog
These are simple, but very hard to guess, because they combine a few otherwise unrelated concepts, and are visually striking. How can you possibly forget the image of the potions master, Severus Snape, yelling “You cannot pass!” to an angry balrog? I’ve already proposed this password in this post, so I do not recommend using it. But I’m sure you can come with all sorts of humorous combinations from the books and TV shows you like. Choose something you like, that makes you smile, and is easy to remember.
Now that you have your sentence, generate a random number. You can do this by closing your eyes and hitting keys on your keyboard. Or by going to any number of sites. But all you have to do is come up with the number, and add it to your password. Here are a few examples. And yes, you can use spaces in your password. It makes them even longer, and the sentences easier to type out.
- snape fights balrog #38421
- 57293 do dragons like french soup?
- al capone plants daffodils! 84032
Each of these includes a symbol, to make the password requirement gods happy, and a number, to add an extra degree of impossible-to-guess entropy to your password. The number doesn’t have to be particularly long, it just has to be a number. Memorize it like you do your social security or phone number. And write it down if you have to, just in case. Don’t write down your sentence though, remember that part. And destroy the note after a couple days, when you have it memorized.
Use a password manager
Even if you forge the most secure password possible, it can still get stolen and used to log into your other accounts, if one of the websites that you log into gets hacked. To avoid this, you should use a password manager like LastPass.
Essentially, you will log into LastPass using your super secure password, snape fights balrog #38421. You will remember that password. But the passwords to your email, your facebook account, your blog, etc. etc. will all be different and randomly generated. That way, the only thing you have to remember is that image of snape facing down a balrog, and nothing else. Your facebook password will be something like 9I2oE@V&VnjcY1YCLqkE5T%W, which is as secure as a password could possibly get, but a huge pain to actually remember. LastPass will remember it for you. And it’s secure, because LastPass does the cryptography right. Specifically, it uses the password you remember to encrypt and decrypt all your other passwords. And using their browser plugin, you can log in using those passwords with only a couple clicks.
LastPass is free, though you may need to pay a cheap subscription to access your passwords conveniently on mobile. There may be some completely free providers, though I recommend LastPass due to my past experience with them. Their $2 per month premium subscriptions are still significantly cheaper than what some people pay for physical security, such as door locks or alarm systems.
Use multi-factor authenticator
Multi-factor authentication is like the full metal plate armor of online security. If you want to be protected like a mounted, armored knight, then use multi-factor. With it, you become essentially invulnerable. The only way for someone to gain access to your accounts would be for them to get you to tell them your password, and to get access to your phone. And at that point, we’re in the realm of physical security, not online security, which is another problem entirely.
Note: a hacker may still be able to persuade your bank’s tech support to reset your password and tell it to them, for instance. Though this is largely unavoidable. To prevent this, guard your identity, such as your social security number, date of birth, and account numbers, well.
The leading multi-factor authentication app is called Google Authenticator. It is available for all major mobile platforms. The account sections of Google, Facebook, and most major consumer websites can walk you through setting this up. But the key thing that I can tell you here is that it’s easy to use, and very secure. Whenever you log in on a new device, you will basically just have to enter a six-digit code from your phone. It’s an extra step, but so is unlocking your door when you get home every day. It’s still a good idea to keep your door locked.
LastPass also offers a compatible app called LastPass Authenticator. These are compatible; the one that you use is up to you.
Some sites offer text-message based multi-factor authentication. This is better than nothing, but is not as robust as Google Authenticator. The problem is that text messages are an insecure means of communication, and can be easily intercepted. With Google Authenticator, it is impossible for someone else to pretend to be you. It’s secure.
In particular, you want to set up multi-factor on your email account, because that can be used to reset your password to everything else, on your password manager (LastPass), and on any financial institutions that support it. Though I recommend enabling two-factor everywhere you can. It’s just more secure.
Keep your computer secure
A good password won’t protect you from malware on your computer. This is out of scope for this blog post, but make sure to follow security best practices otherwise too — avoid shady websites, keep your web browsers up to date, never download any files that look suspicious, don’t click on unexpected attachments in email, and run an anti-virus on your machine (particular if you are a windows user).
Make sure your computer login has a password too. It technically can be your LastPass password, but I recommend using a different one. It can be simpler, since generally this can only be attacked by someone who holds your computer in their hands, as opposed to a site like facebook, where anyone can try to log in as you at any time through their website.
Securing your online life isn’t hard, and is either free or very cheap. Do it, if you can. It will save you a lot of worry, and maybe some cash and stress too, should folks with ill intentions ever decide to go after your accounts. Join us. You’ll never have to worry about inconsistent, hard to remember passwords again.