Internet and Computer Security For Home Users During Lockdown (well, any time really) – Part 2
Passwords. They’re annoying. They’re a massive pain in the arse. And now, people are saying your favourite password – your first dog’s name – is no good because it’s too short and too personal. You may even have received an email that says some scumbag installed malware on your computer and has video of you wanking that they’ll release to the world if you don’t pay iTunes cards or some cryptocurrency (seeing a theme in these posts?). As proof, they’ll even have your password in the email. OMG!!!
What can you do about it?
First, I’ll deal with the easy one: the blackmail scam. All blackmail – whether it’s a silly email, or some modern thug threatening you over the phone works like this:
- the dirtbag claims to (maybe even actually does) have some information about you that you might find embarrassing;
- the dirtbag claims that they won’t release the information if you pay them.
What actually happens is one of three things:
- They don’t have the information but got a lucky guess at something that embarrasses you, and you literally throw money at some scumbag. You’re poorer, and hopefully wiser; but…
- If they got money once, they’ll make the same threat again because if you paid once, you’ll pay again; OR
- They really do have information, in which case it works like the previous two items except…
- If they really have the information it’s going to get out sooner or later, so you’ll still be embarrassed AND be out the money.
In short, if you ever pay a blackmailer, you’re literally throwing money away for nothing – either because they can’t actually hurt you, or because you’re going to get hurt whether or not you pay. THIS IS HOW ALL BLACKMAIL WORKS. Never pay a blackmailer, ever. And if you really think they have something, suck it up and admit it wherever it would be important because that important place/person is going to find out eventually. Never pay though. Not even once.
OK, now on to the issue at hand – the password. Maybe you saw it in a blackmail email, maybe you got a notification that there was an information breach on some service you use. Maybe your IT professional kids are telling you to stop using “password” as your password. Whatever the reason, you’ve been prompted to think about passwords.
Passwords are an archaic, borderline useless authentication mechanism. They’re a pain in the arse for humans to use effectively, and ever increasingly trivial for computers to guess at. However, they’re also inexpensive to implement and relatively easy for anyone to use. One time.
The problem comes when you have more than one account that needs a password. If you’re a nerd, like me, I literally have close to 500 password-protected accounts. I cannot remember 500 passwords – especially passwords that are long and complex. Now, lots of people solve this problem by using the same password everywhere. That’s really bad, and here’s why:
Think about that email that says there is video of you wanking to porn. Obviously, they have your email. It also contains a password scraped from any of a multitude of security breaches at big-ticket services like LinkedIn, Yahoo!, Adobe, and more. Crooks take that email and that password and try it *EVERYWHERE*. So if you’re cutting corners by using the same email and password for everything, one LinkedIn breach and now every crook has access to your Facebook, maybe banking, Twitter, Instagram, store/merchant accounts like Cafe Press, and so on. Testing those things is all done automagically by computer programs, so the crooks literally buy a compromised database and run tools on it to see what they come up with. There is very little they love more than the person who uses the same email and password for everything.
I’m not going to get into why you should have multiple email addresses because I know that far too many people will say “I’m not a computer nerd. I can’t be arsed to have 234 email addresses.” Fine. However, there really is no excuse not to have a different password everywhere. What I am about to show you should be considered “Computer Basics”. This is like learning what the brake and accelerator pedals do when you learned to drive a car.
- Install a password manager – There are plenty out there. I use PwSafe because it works on Windows, Linux, iOS, and Android. There are others – many people I know enjoy LastPass. There are other choices too, so consider having a look at this article. What they all give you is a small application/database to which you have to remember ONE password, and the database stores all your other passwords, allowing you to click/cut/paste them into login screens where you need them. Of course, this means that the password to that database should be STRONG AND LONG (<cough>insert obligatory internet porn reference </cough>) because if that database password gets hacked, you’re sunk. However, because it’s the only password you’ll have to remember, doing that should be easy. Realistically, this is truly a must-have application on your computers and devices, and it doesn’t matter how unsophisticated a user you believe you are.
- Use a different password for every single account, without exception – The reason you install a password manager is because of this. It is simply not smart, reasonable, nor acceptable in 2020 to reuse passwords. If you use a password manager, they all have the ability to generate crazy-strong passwords for you, because they know you’ll never have to remember them. Use this feature. In this way, even if some service gets hacked, the worst case would be that the crooks get the password to that service, and nothing else.
- Generate long, strong passwords – Password managers will do this automatically, but usually you can tweak the rules it uses. I am going to tell you how to set the rules. To begin with, unless the service you are setting a password for is ancient and only accepts 8-character passwords, know now that an 8-character password has a break strength of less than a day… much less if it’s a commonly used word, or something similar to what is on THIS LIST. By and large, you want to set the rules to a MINIMUM of:
- Length – 12 characters, 16 is better, 20+ is best. In my experience, plenty of sites still weird out if you go for 16 or more (although they shouldn’t but ranting about awful application and web site security could be another 238 posts).
- Complexity rules – at least one uppercase, one lower case, and one symbol and/or digit.
- Don’t worry about password expiry – if you’ve made strong passwords, you don’t have to worry about that old school “change your passwords every X days” crap. The idea behind that was that you changed your passwords in a time period shorter than it would be expected that a crook could break your password. Right now, an 8-character password is crackable in minutes to about a day, so if you’re using password expiry, you need to change an 8-character password about 4 times an hour to be safe. A 12 character, or longer, is good for years.
- It’s still a good idea to change your passwords once a year as a matter of course – you’re using a password manager, so changing passwords isn’t a big deal because you don’t have to remember them. I do “Christmas Holiday Computer Maintenance” when I check my digital photos, and change passwords. The reason you do this is because it limits potential damage if your password is breached and nobody notices.
In Part 3 we’ll learn about “Things you shouldn’t answer or click on in social media”.