Introduction to Online Security
Part I - Passwords
Welcome to my first introductory lesson on the topic of online security. I hope to cover all of the basics in this series and provide a solid base for newbies in this field to start off from. If you’re reading this right now, then chances are you already know a decent bit of information about protecting your own privacy and securing your online accounts. That’s fine, most of this will probably be a review for you, but I have included some extra tips that you won’t find from looking through mainstream tech advice or from the mouth of your typical cybersecurity gurus (I’m looking at you Kevin Mitnick). In which case, you may want to skim through this, but pay special attention to the second half of the article. That’s where the good stuff is. If you are a complete newbie, then congratulations! This entire work will be of value to you.
The topic for today is going to be passwords. You know that thing that keeps your mom from creeping though your instagram account while your on the toilet, or maybe protects your phone from your significant other’s prying eyes. They are one of the fundamental, first lines of defense for your data on the internet, and I cannot over-emphasize the importance of having strong, unique passwords for every single account you have on the internet, and I mean Every. Single. One. P@ncake346 is not sufficient to protect everything you have ever collected or placed on the internet over your lifetime. Get yourself a reputable open-source password manager that isn’t connected to the internet (or an encrypted text file if you don’t trust them) and start generating some unique and random passwords for all of your accounts. When you’re done, your passwords should look something like this:
Looks strange right? There are characters on there that the average joe wouldn’t even be able to type on their keyboard, and that’s the point. If your password doesn’t look like a 3 year old’s spelling mixed with ancient hieroglyphics, then you’re not doing it right. But of course, there are exceptions. For example the password used to protect your password manager itself should be something typeable. In which case I would recommend using something called a passphrase. Edward Snowden likes to give a colorful example involving his affection for Margret Thatcher: Margret Thatcher is 110% sexy. It’s easy, memorable, a somewhat amusing as well.
There are many advantages to using this method over your typical password. The length, randomization, and diversity of characters used will increase the most vital part of any successful passphrase. It’s called entropy. Without getting into too much technical detail here, the more entropy a password has, the harder it is to crack. This value goes up exponentially the longer the passphrase gets. For example, a password with an entropy of 42 bits would require 242 (or 4,398,046,511,104) unique attempts to go through all possibilities of the password in a brute force attack. The example I provided above has an entropy of 346 bits and you can be pretty safe in assuming that it isn’t getting cracked anywhere within our lifetime. Another great benefit to this type of password is because of it’s random nature, it will not show up in a dictionary of previously breached passwords, leaving any would be attacker empty handed. The final benefit is that you cannot possibly remember it! If anyone were to pressure you into giving them your password, you can honestly tell them that you don’t know it.
After you’ve got yourself some sweet, unique, and bruteforce proof passwords, it’s time to move onto the fun part. This technique is used to mitigate the effects of a worst case scenario. The breach of all breaches. I’m talking about somebody getting access to your password manager itself. Normally, this would be an absolute nightmare. After all, every account is now exposed! It’s game over and time to start fresh, that 0 day in keepassXC has ruined you! Wrong. What you need to do, is create an appendage to add onto every password in your manager. It can be anything as long as you can remember it. Lets use turbotime! as an example. You make all your passwords as usual, the only difference is that you add turbotime! to the end of them. The end result should look something like this:
DO NOT put this appendage into your password manager. Don’t be lazy, it takes 2 extra seconds to type it on the end after you’ve used copy & paste. If you’ve done this part then congratulations, that clever attacker now has a useless password list. Every time they go to put in a password, it will fail, and you will emerge victorious.
After reading all of this, you might think that it’s a lot of work. You might have 75 different accounts, and you don’t want to go to all that trouble of changing every single one. Well, lets look at it this way. Every year 100s of millions of passwords are leaked onto the internet in data dumps. Chances are you have been in one of them. All it takes is for someone to copy that one breached password from that home depot account you made 6 years ago, and all of a sudden they’re taking money out of your bank, or reading your emails. Don’t believe me? Look up your email address on haveibeenpwned.com. You might be surprised at how many times your info has been dumped. Trust me, all it takes is one particularly painful breach for you to loathe the day you decided to turn this opportunity down.
If you’ve found the information above to be refreshing or helpful, and would like to thank your benevolent, hardworking author, then consider leaving a small tip at one of the addresses below.
XMR (Superior privacy, Lower fees):