Your 3 keys to website logins
"Who you are, what you know, and what you have"
Most sites ask for an email as for your username. This is easily exploited by an attacker to reset your password. Instead, use a random name if the site allows. Store it in your password manager
Your password should be difficult to guess from your online social media. No website, bank or other agency will ever ask for your password.
2 Factor Authentication (2FA) adds an extra layer of security to your account. SMS and TOTP are the most common but they are subject to hacking as well
Key Elements of Good Password Hygiene
-
If you haven't already, create a log of all the sites where you have a user account
-
Next, check if you have been involved in a breach, those are the first passwords to change
-
Every password must be unique for each website you visit.
-
Must be at least 10 characters long. The longer the better.
-
Should be difficult to remember.
-
Don't use easy things to guess like pet names, kids' names, DOB or phone numbers/addresses
-
Should NEVER be kept on a sticky note near your computer, or in a text document on your computer or your phone.
-
Should be stored either on paper in a secure location, with a duplicate offsite, or kept in a Password Manager
-
-
Best Practice
-
Get a good password manager, secure it with a complex master password that only you know, then fill it with all your login accounts. Use the password manager to help you update accounts with weak or reused passwords.
-
*NCSC (National Cyber Security Centre)
Password Managers
Password managers are apps that store your your login credentials in an encrypted vault on your phone and your computer. They can be standalone products or can use an encrypted virtual key to store your data in the cloud so as to sync between your laptop and your phone. They can store any sensitive information including Social Security numbers, and passport numbers. Picking a respected and reliable product is important. I recommend you do your own research, but here are 3 that usually rank high among the experts.
Subscription based
Long track record
Mobile, desktop and Web
Encrypted on their servers
Watchtower feature looks for compromised logins and passwords
Free and subscription based options
Open Source
Mobile and desktop
Encrypted on their servers
Free
Open Source
Desktop Offline Only
Can sync with StrongBox on iOS
This comic from xkcd.com highlights a common problem with making passwords.
Click here if it's difficult to see on your mobile device.
Credential Stuffing
Another common mistake people make is to reuse passwords for convenience, but this has serious drawbacks. When passwords are stolen in a breach, a tactic called Credential Stuffing allows attackers to gain access into other accounts for which you used the same login credentials.
Breach
Hackers break into a database server, and download gigabytes or terabytes of raw customer information
Batched&Sold
The raw data is parsed and analyzed, then batched and sold in clusters on the dark web or hacker forums
Validated
Bundles of data are validated and verified. Then username/password combos that work are resold as "live"
Live Targets
Attackers then use a program to plug live credentials into hundreds of websites to take over your accounts