Darek Kay's picture
Darek Kay
Solving web mysteries

Another password leak — oh, it must be Tuesday!

A few days ago, hackers released a list of nearly 5 million Gmail addresses and passwords. Last week, celebrity nudes leaked on the internet. Such news is nothing special anymore. Adobe, Apple, Yahoo, Sony — they've all had serious security breaches. The bad news is you can do nothing about it. But you can follow some simple rules to make it as hard as possible for anyone to gain access to your private data.

Strong passwords

Ah, that's a classic. There is a great xkcd comic describing what people think a strong password looks like.

Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.

No matter what others say: size matters. It's not about making the password as cryptic as possible. It just has to be long enough and not predictable like 123456 (which is still the most popular password out there). Adding one special character (like ! # * = etc.) and one digit also increases the password strength, but I wouldn't go for more, so I can still remember it. I'm using at least 14 characters and according to this service, it would take over 600 thousand years to crack it. I can live with that.

Unique passwords

Your password may be 50-characters long, but if anyone gets access to it, you're screwed. It gets even worse if you have only one password. Having the same login data for Gmail and for other sites means it isn't necessary to hack Google to read your emails. Instead, hackers gain access to less secure websites and reuse the email & password combination to access Gmail, Steam or any other service with valuable data. That's exactly what happened in the recent password leak. So what can we do about it? Use a unique password for every service. If one account gets compromised, all other accounts are still safe. But how do we remember hundreds of different passwords? Well, there are two different ways:

  • Combine a password with the service name. Let's assume our (base) password is 2*iliketrains. We just need to add the first four letters from the service name to get a unique password. So for Facebook it's face2*iliketrains and for Gmail it's gmai2*iliketrains. You can of course use any other pattern, as long as your passwords are unique and still easy to remember. Now you're pretty much safe from automatic user:password attacks, but the password pattern might be easy to guess if someone targets you specifically.
  • Use a password manager. I keep most of my passwords in LastPass. It might seem ironic to store all passwords online. If someone hacks it, doesn't he get all my passwords? No, he doesn't. I don't want to get too technical here, so just listen to people who are dealing with security for a living. TL;DR: all passwords are encrypted, and de-/encryption happens only on your computer, so not even LastPass would be able to crack it. It's enough for me to trust them with all my less important passwords. For people who want to be even more secure there are offline password managers like KeePass.

Two-factor authentication

Google Authenticator

But doesn't it require only one master password to get access to LastPass and hence decrypt all my passwords? Yes, it does. And that's where the most underused security tool kicks in: two-step verification. With that feature enabled you need two components to access an account: a password and a semi-randomly generated code. The two most common ways to get such codes are either by receiving an SMS or using an application that generates new codes every few seconds. Many services rely on the Google Authenticator App (Android, IPhone), like Google itself. It's open source, so you don't have to worry about them doing anything sneaky. Some other services, like Battle.net, provide their own Apps. So basically, even if I told you my master password, you would still need physical access to my mobile phone. Isn't it awesome?

There are still some misconceptions about the two-factor authentication, so you should check out this short summary. Here's a comprehensive list of websites that already support it (Google, Facebook, Twitter, Dropbox, Paypal...).

Changing passwords

Many people recommend to change passwords frequently. The National Institute of Standards and Technology finally deprecated this practice. You should however react to current breaches, if your provider doesn't reset your password automatically. Here you can check if your account was affected in any larger incident, including the latest one.

Regular backups

By now you should be pretty safe. Unfortunately hackers always find new ways to get access to your data. And believe me, you don't want that to happen (seriously, check out this guy's story). I can't imagine losing any valuable data, so that's why I'm doing weekly backups and store everything on external drives. For example, Google's Takeout lets you download all or some of your stored data. Many other websites offer such a service and for some I wrote my own backup solutions.

Conclusion

I've covered only some basic ways to make accounts more secure. But unfortunately many people don't apply even those well-known techniques. You will never be 100% safe, but with just little effort you can make the life of criminals so much harder. I urge you to deal with this topic before it's too late.

Another password leak — oh, it must be Tuesday!