The recent hacking of celebrity photos has drawn increased attention to the importance of online passwords and how many people don’t approach them seriously.
Nude photos of the actress Jennifer Lawrence stolen from her Apple iCloud account follows previous hacks involving Scarlett Johansson, Paris Hilton, and Sarah Palin.
Hackers like to filch from celebrities because it gives them bragging rights among fellow hackers. This isn’t an issue with ordinary people. But everyone should be concerned with protecting sensitive information online.
The main issue with passwords is balancing security with convenience. The most convenient option is to use the same password with all of your sites and to make that password easy to remember by choosing a simple word, as simple as “password,” which believe it or not some people still do. This of course is also the least secure option.
There’s actually a list that circulates among hackers of the 500 most commonly used passwords, which along with “password” includes “123456,” “abc123,” “letmein,” and “iloveyou.”
More websites these days require you to create passwords that are at least eight characters long and that include at least one capital letter and one number. This is good practice with any site. Here’s other frequently offered and frequently ignored passwords advice:
- Use symbols as well as uppercase and lowercase letters and numbers. The more types of characters you find on your keyboard that you include in a password, the more difficult it will be to crack.
- Don’t use as passwords your birthdate, the name of a relative, or a dictionary word. Some password-cracking programs simply run through all of the words in a particular dictionary.
- Use longer rather than shorter passwords. Eight characters should be the minimum, but 12 is even better. Some “brute force” password-cracking programs on heavy-duty hardware can run through every possible eight-character combination in a matter of hours.
- Use a “passphrase” instead of a password. A short sentence, such as “Go forth 4 ever&more,” can be easy to remember, not too difficult to type, and very difficult to crack.
- Don’t use the same password or passphrase with multiple sites for help in remembering it. Periodically high-profile sites are hacked in which thousands of users’ passwords are breached. If a hacker discovers a password of yours this way or by using a password-cracking program, and you use the same password for other sites, this makes it easy to break into your other sites. Instead, consider making each passphrase a variation, changed in a standard way based on the site you’re connecting to. As just one of many possible examples, you could include the first three letters of the site’s name within the passphrase that are pushed forward three places, so that GOO becomes JRR.
- Use dual-factor authentication, sometimes called two-step verification, whenever it’s available, particularly with financial or other sensitive sites. Dual-factor authentication requires you, when gaining access, to provide along with a password a second piece of information, such as answering a security question or returning a code that’s texted to you. Choose questions whose answers can’t be easily guessed by hackers or found from information publicly available online, such as the city where you went to high school. With some of the recent celebrity cases, it’s believed that this is how hackers gained access to their victims’ accounts.
- Use a password management service, or otherwise hide your passwords. Some people write their passwords on a piece of paper, even taping the paper to their computer or desk. The obvious downside to this is the risk of someone, from a nosy babysitter to an office adversary, coming across it.
A password management service lets you use one password for it and fills in your passwords, automatically and behind the scenes, for sites you visit. Two recommended password managers are LastPass and KeePass.
It’s still a good idea to keep a separate record of your passwords, in a word processing or spreadsheet file, for instance, and to keep this list encrypted. Alternately, keeping such a record and accessing it when needed can be a way to access sensitive sites.
Basic file encryption is built into various versions of Microsoft Windows and the Mac’s operating system. You could also use a third-party encryption program or an archiving program that includes encryption as an option, such as 7-Zip. Back up any encrypted file on which you store passwords to multiple backup sources in case of hard disk crashes or other problems.