First a disclaimer. This article is written with ordinary private users in mind. Things get a bit more complicated if you deal with secret information, for example at a company.
A password is the standard way to protect our digital information, and the net is full of advice about passwords. But many, if not most, miss the really important points. You have seen them, nerds bragging about how long and complex passwords they use. Forget that. Or that passwords shall be changed frequently. Forget that too, it just makes it harder to remember them.
Adding complexity by using numbers, special characters and capital letters makes sense. But not even that is the primary importance. This topic will be covered in another post.
So what is most important then? Here comes the TOP4 list.
What’s the simplest way to get someone’s password. Asking for it of course! Yes, no joke. Most intrusions in private e-mail accounts start with password phishing. It’s a trick to make users input their login credentials on a fake page run by the crooks. So the clear number one is learning to recognize and avoid this trick.
Make sure your smart phone has a proper long PIN or password, and that it locks automatically when not used.
The worst hacker may sit next to you at home. Make sure nobody is looking to closely when logging in.
Avoid the really bad passwords. Here’s a list of such bad passwords. And of course similar words in your own language. Also avoid easily guessable words, like your name, your pet or family members, your boat or birthday, and so on.
So focus should be on how you handle your passwords and keep them secret. Not on how complex they are. You will actually do quite well with relatively simple passwords, if you follow these rules. And simple passwords are easier to remember.
This will probably require a bit more explanation, because password advice normally focus on password length and complexity. So why is handling in focus here?
Advice number 1 is caused by the way cyber criminals work. Passwords have traditionally been attacked by trying all possible combinations, a so called brute force attack, or by trying words in a dictionary, which quite logically is called a dictionary attack. Both work, but require time and resources. Password length and complexity is needed to fight these methods. But phishing is fast, cheap and scalable. Cyber criminals can send millions of spam mails linking to the fake phishing sites, and consider it a success if a couple of percent fall for it. So why waste time and resources on heavy computations when you can achieve the same result just by asking for the passwords. Read more about phishing here.
Seen from another angle one can say that your password is essential for you. But for the criminal you’re just on line on the spam list. It doesn’t matter if he gets your password or someone else’s. No point wasting resources on you if the easiest trap didn’t work.
Advice 2 to 4 has to do with the fact that cyber criminals aren’t your only enemy. People close to you may have a lot of reasons to hack your account, from joking to hate and jealousy. This can be a very acute problem in families with kids, where blocking software is deployed to manage kids’ surfing habits. That makes mom’s and dad’s password extremely valuable.
Our smartphones can be a real security disaster. All your accounts and e-mails are kept open in apps, and it’s all wide open if you can access the device. Advice number 2 is essential when you put the phone down. It’s easy for a family member to access it, for example to use the “forgot password” function on one of your accounts and accessing the reset link in your mail.
“Hackers” in this group are more persistent. They are motivated to crack your password, so they will not give up and pass on to the next victim. They also know a lot about you. Therefore advice 4 about the names.
Needless to say, shared passwords are bad passwords. It’s not uncommon that family members know each other’s passwords for some reason. This can become a problem for example after a divorce, when relations aren’t so friendly anymore.
That’s the fundamentals for keeping your accounts safe. Read more about password quality here.