Practical Passwords for Regular People

“Dadada.”  According to the article below this was the password for Mark Zuckerberg’s hacked LinkedIn account.  I found this astounding.  And I am just a regular guy who works in an office full-time, not some super-geek.

seeker.com

“A group of hijackers known as OurMine, possibly from Saudi Arabia, briefly took over Facebook chairman and CEO Mark Zuckerberg’s Twitter and Pinterest accounts yesterday.” – Source: Seeker.com – How Not to Be Mark Zuckerberg About Your Passwords

But Zuckerberg is ridiculously wealthy.  He can afford to pay people to clean up the mess.

For the rest of us poor schmucks the article has some suggestions which are worth perusing.  I got my AOL account in the late 80s and have used hundreds of various online accounts since then..  I probably have at least 50 active user passwords.  It would be nice to have a reasonable way to manage that.  Unfortunately the suggestions are not packaged for users in the real world.  And the article fails to engage real-world questions that need to be asked about any website you use before deciding which to use:

  • Are you famous or do you otherwise have some sort of highly visible public profile?
  • Is the information you need to protect important?
  • Would theft of the information affect anyone besides you?
  • Is the data valuable?

If the answer to all these questions is “no” then pick any junk password you like.  If you answered with a strong “yes” to any, then find someone with actual expertise and don’t fool around with trying to do this on your own, particularly if you need super-secure options like hardware tokens.  But most people will likely answer “no” to the first and a mild “yes” to one or more of the rest.  So here is my stab at a rework of the suggestions, in order of priority:

  1. Turn on basic two-factor authentication (2FA) for every site that provides it.  Two-factor (or multi-factor) means something besides your user name and password is required to sign in.   The easiest version to use sends a text to your mobile phone with an access code when the site fails to recognize you.  A slightly more complicated but more reliable variant installs an app on a smart phone (which most people have these days).  Basic 2FA means most thieves will need your crappy password and physical possession of your phone.
  2. Lock all your computers, tablets, and smartphones.  A basic four-digit pin or pass-code is probably fine, provided that the device does not connect to a corporate network, and has no remote access capability (or remote access is turned off).  This is basic stuff.  You lock your residence and car, don’t you?

This should keep out casual thieves and provides reasonable security for most of us.  But if a thief gets both your passwords and access to your computer and mobile phone you have bigger problems.  You might now be some hacker’s personal project.  Or you might be bound, gagged, and in the trunk of a car bouncing along a dirt road.  As one writer has pointed out, your potential threats boil down to “Mossad or not-Mossad[1].”  If it’s the first one you are pretty much screwed.

For sites that don’t provide two-factor authentication, do the following:

  • Create unique and reasonably complex passwords.  Passwords should contain at minimum mixes of upper case letters, lower case letters, and numbers.  Special characters should be added if the site allows.  But as long as you do not spell out actual dictionary words, your passwords need NOT be super long or super complex.  Eight characters is good enough for most purposes.  Whether to use more depends on how much damage unauthorized access will do.  Passwords for your bank need to be longer than passwords for your streaming media.
  • Long passphrases can be easier for most people to remember than completely random sequences.  Just don’t use components that you have posted on social media.  Use something obscure, like the combination of a partial childhood address and the name of a childhood pet.  Or the long name of a band you would never admit listening to.  Then mangle it with numbers and mix the upper and lower cases.
  • If you have too many passwords to remember, then create a secured list to build a barrier between where you record them and where you use them.  A plain, old paper notebook is just fine, provided you keep it somewhere reasonably safe.  An encrypted Microsoft Office or Evernote document, or something equivalent will also work.  Or if you are at least slighly geeky you can use a password manager app[2].  The point is to find something that works for you and create the barrier.   So when your device gets stolen and/or hacked the thief doesn’t get your passwords.

The article had some additional suggestions, which are distilled below to something normal people might actually use:

  • Don’t let websites retain information that connects to your financial accounts.  This means debit cards, account numbers, or anything else that points directly to your bank.  The only exception I can see to this is the website of another bank.  Charges on a stolen credit card can be high-order nuisances.  But stolen bank balances are something else entirely.
  • If you let your web browser store your login information, then use a browser that encrypts the data and requires a password to access it.  And never allow storage on a computer you don’t own and completely control.

Oh, and if your passwords are stored on your computer or smart phone please remember these gadgets are not immortal.  Back up the list to a flash drive or printout and hide that  somewhere you can find it.  And be sure to include those stupid security questions and answers.  You might need them a year from now.

—————-

[1] James Mickens. This World of Ours. “;login: The Usenix Magazine.” January 2014
https://www.usenix.org/publications/login-logout/january-2014-login-logout

[2] If you want to really lock your stuff up and need a suggestion for a password app I use KeePass.  It’s highly configurable and open-source (and free).  I’ve also heard good things about LastPass but I’ve never used it.