SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 08: Best Practices for Login and Password Security

Posted on October 27, 2016
  • Password No-Nos (what NOT to do).
  • Creating strong and secure passwords.
  • The pitfalls of security questions.
  • Make friends with a password manager app.
  • What to do when your password has been compromised.

On today’s show, we’re going to talk about Your passwords… pretty much the only things that separate all of your info from people who shouldn’t have your info. That’s everybody from your kids to ne’er do wells who might steal from you, or sell your passwords to lots of people who might steal from you. We’re hitting best practices when it comes to login and password security — simple steps you can take to keep your accounts from falling into the wrong hands, and what to do in the event that your password has been compromised.

Password No-Nos (what NOT to do). When it comes to password and login security, there are a lot of things that you can do to help make things more secure. On the other hand, it’s all too easy to do things that actively harm your security. So before we get into the “best” practices, let’s go over some “bad” practices that you should avoid at all costs.

  • Avoid weak passwords: We get it – it’s not exactly fun to try and remember complex passwords, especially when you have different ones for each site and have to enter them multiple times throughout the course of any given day at the computer. You might think that your pet’s name combined with your birth year is better than simply using the word ‘password’ for your password, and while that’s *technically* true, it still doesn’t make for a strong password.Bad guys use automated computer programs to quickly try combinations of words, names, and numbers when trying to crack a password, and it only takes seconds for them to go through an enormous number of possibilities. Don’t use a weak password such as a pet’s name, anniversary or other significant date, names of family members, sports teams, or other easy-to-guess things. And definitely don’t use the words ‘password’ or ‘secret’ for your password!
  • Don’t reuse passwords: Unless you’re *only* using the internet to check your e-mail, you most likely have more than one online account to keep track of. If you’re like us and spend lots of time at the computer each and every day, you might have dozens (even hundreds?!) of separate online accounts. You might be tempted to use the same password for each of those sites, but as convenient as it would be, it’s a really bad idea. Why? The simple answer is that sites get hacked and passwords get cracked.Every website that offers online accounts needs a way to store login information for each user. While there are many steps a site can take to make sure that login information is stored securely on the web server, the unfortunate truth is that this just isn’t the case all the time. If a website gets hacked and the login information for their users wasn’t stored securely, it can be trivial for the bad guys to figure out the exact password for each and every person who had an account on the hacked site. Hackers often share those usernames and passwords, and write scripts that will try logging into a wide variety of websites (commonly online banking and e-mail sites) using the information found on the hacked site. If you’ve reused the same password on multiple sites, and one of them gets hacked, it’s not going to be long before the bad guys use your login info to get into those other sites as well.
  • Don’t share login information: Ok, sometimes sharing your login information is necessary, such as the case when different family members all need to log into the same Netflix account, but most of the time sharing login information is not a good idea. Don’t share your employee login information with your co-workers (they should be using their own account), don’t write your passwords down on sticky notes and leave them stuck to your computer monitor, and certainly don’t post your login information or password publicly online!

Creating strong and secure passwords. Now that we’ve gone over some of the things to avoid, let’s move on to things you can do to improve your password and login security!

Longer is stronger when it comes to password security. The more characters in your password, the longer it will take for automated password cracking software to correctly guess your password. Eight characters should be the absolute minimum when it comes to your password length. However, length isn’t the only component of a good password. You’ll want to use a combination of uppercase and lowercase letters, numbers, punctuation marks and symbols.

Some people find it helpful to use a word or simple phrase for their password. Try replacing some of the letters with similar looking characters to help keep things easy to remember. For example, instead of using ‘password’ you could replace the ‘a’ with an @ symbol, replace an ‘s’ with the $ symbol, and replace the ‘o’ with the number zero. Throw in some extra punctuation marks at the end, and you’ve got a much stronger password!

The pitfalls of security questions. There’s an aspect of login security that you might not have ever considered — those security questions you filled out when you first created your online account. Normally, these security questions are used when you need to reset your password or recover access to your account, and while security questions can add an extra level of security there are some issues to be aware of.

Most of the time security questions are relatively simple such as “What city were you born in?” or “What is your mother’s maiden name?” The answers to questions like those are pretty easy for an attacker to guess, especially considering how much information we post on social media sites like Facebook!

Whenever possible, choose security questions and answers that can’t be easily guessed. Your answers don’t even have to make sense as long as you can remember them. Apple has a great example of one such nonsense answer to a security question on their site: Question: What is your favorite color? Answer: Mozart.

If a website you use gets hacked, there’s a chance that your security questions and answers will also be compromised. At that point, any other site that you used the same security questions and answers on becomes a target for the bad guys, even if you were using different passwords for each site. They could simply go through the account recovery or password reset process on each site, fill in the answers to your security questions, and gain control of your account without ever having to guess your actual password.

While it’s not always possible to have unique security questions for each site, try using unique answers from site to site whenever possible. You could append something to your answer such as an acronym for the site to help keep them separate.

Make friends with a password manager app. Unless you’re *only* using the internet to check your e-mail, you most likely have more than one online account to keep track of. If you’re like us and spend lots of time at the computer each and every day, you might have dozens (even hundreds?!) of separate online accounts. You might be tempted to use the same password for each of those sites, but…we already discussed why that’s a big no-no. So how do you keep track of separate logins for each and every website that you have an account on? Luckily, password management apps are here to save the day.

When it comes to generating strong, unique passwords for each and every site account, password management apps do all the heavy lifting for you! By specifying a “recipe” (such as the length of the password to generate, how many numbers and symbols to use, etc), the password management app generates a unique, random password that meets your criteria.

Think of a password management app as a kind of safe to hold your login information for all of your sites. The password manager app stores all of your login information in a safe and secure manner, and all you have to do is remember one single password to “unlock” the safe and get the login information for whatever site you need to access. There’s no need to remember the login information for each site, so there’s no excuse to not use strong, unique passwords!

Many password management apps come with browser plug-ins that can autofill your login information with a simple keyboard shortcut from the site’s login page. As an added bonus, most password management apps take extra steps to verify the authenticity of a site before auto-filling the login info, which helps defend against phishing sites trying to trick you into providing your username and password to the bad guys!

Here at SecureMac, we highly recommend 1Password, which is one of the best password manager apps available. Other options include LastPass and iCloud Keychain.

What to do when your password has been compromised. If you’ve spent enough time online, you’ve most likely already gotten one of those dreaded e-mails letting you know that your favorite site has been hacked and that your password has been compromised. While it’s never fun to get an e-mail alerting you to a password breach, most of the time the e-mail will let you know exactly what information was compromised when the site was hacked, which can help prioritize your next steps.

  • If you’ve reused the password from the compromised site anywhere else, the first thing you need to do is *immediately* change your password on any of the sites where you used the same password. This time around don’t reuse the same password across multiple sites!
  • If the account breach included the answers to your security questions, be sure to change them on any other sites that used the same questions and answers.
  • In some of the worst case scenarios, such as those where something like your bank account information or credit card number were compromised, you’ll need to immediately contact your bank and let them know the situation so that they can set up special credit monitoring for your accounts and get the ball rolling on replacing your cards and changing account numbers.
  • This is one situation where password management apps really shine: They make it simple to identify any of your other sites that were using the same password, and quickly change passwords on each of those sites.

By following these best practices for login and password security (and avoiding password no-nos), you’ll not only make it harder for the bad guys to gain access to your accounts, you’ll be prepared in the event that one of your accounts becomes compromised — and know exactly what to do!

Join our mailing list for the latest security news and deals