Keep what’s yours safe online with our guide to how to stop password hackers in their tracks.
With so many services requiring complex passwords, it can be easy to get overwhelmed and scared by the possibilities. Online scams can and do cost Australians millions each year, and nobody wants that to happen to them.
So how do you manage all your password needs, and what should you look out for in terms of password hacks?
How do online criminals get my passwords anyway?
There’s a number of ways that your passwords could end up in the hands of cyber criminals.
In some cases, it’s because your account gets phished with a convincing looking fake.
In other cases, it’s because you’ve chosen a weak password and they’ve simply brute forcing their way through combinations of password types.
In some cases, malware that makes its way onto your computer can track keystrokes, including those into password fields through what are called keyloggers.
Those cases rely on faults on your end (along with a little manipulation of existing systems), but it’s also possible to have your passwords compromised through no fault of your own.
A password breach is what happens when a company’s own store of passwords – so your credentials with an online shop or service, for example – are compromised en masse.
In that case, you did nothing wrong and your password may have been very good, but you’re still in a potentially compromised position.
or complete our form today to set up an appointment with a computer repair technician
What to do to defend yourself against password attacks
There are a few simple things that you can do to maximise your security and minimise the risk of your passwords being compromised.
Use unique passwords for every service
Why it matters: If you have a password that you use for more than one service, it’s the equivalent of having just the one key to multiple safes. Most services pair your email address with a password, with that pair “proving” your identity.
If your password is compromised in any way, one of the first and most common attacks will be to apply that password and email combination against multiple services. Suddenly, you’re not just compromised on one site, but many.
Never use dictionary words (or number sequences) as your password
Why it matters: Every year, lists are published of the most commonly compromised passwords. Depressingly, year in, year out they’re nearly always topped by simple passwords such as “Password” or “123456”.
The simple reality here is that there isn’t a dictionary word that online criminals haven’t tried as a password combination at some time. Modern computing power means that they can cycle through those combinations at blistering speeds too.
The same is true for simple number sequences. There’s a famous scene in Mel Brooks’ movie “Spaceballs” where a character is derided for having a luggage lock combination of “12345”. Sure, it’s easy to remember – but it’s also easy to crack, which is why that scene is played for comedy. There’s nothing funny about having your online identity compromised or bank accounts drained, however.
This is why most password systems will tell you that your password must contain a mix of capital and lower case letters, numbers and symbols. It’s not because the programmers enjoy making you struggle to come up with them. It’s because they’re mathematically harder to crack.
Use a decent password manager
Why it matters: We’re increasingly being asked to create passwords for everything from government services to online banking, shopping, social media… the list goes on and on and on. To give this a personal context, I can tell you right now that I have a list of 398 different passwords that I might need. Sure, my own tech enthusiasm means I’m probably above the average by a wide margin, but there’s still no way I could remember 398 passwords anyway!
I don’t have to, because I use a password management app to both store them and to create them in the first place.
This is secured against a single, strong password used to unlock the entire vault of passwords which can synchronise across my phone, laptop and tablet devices for easy access.
There’s a number of players in this space, including well-regarded packages such as Dashlane, 1Password, LastPass, Keepass and others. If you’ve got anti-virus software on your PC, it may already contain a password manager module, too.
Use multi-factor authentication
Why it matters: If you’ve set up an account to deal with government services, you’ve all but certainly hit multi-factor authentication, where you enter your password and it then asks you to verify a code sent to you, typically via SMS.
Multi-factor authentication adds additional verification steps to ensure that you are indeed who you claim to be. Not every service supports multi-factor authentication (sometimes called “two factor authentication” if it’s only adding one extra step to the existing password), but if the services or sites you’re using do, it’s highly advisable to implement it.
It does involve a little more time on your part, because you’ve got to wait for those extra login details to arrive, whether that’s through SMS, a checking email or via an authenticator app or physical authentication device. However, the security here relies on the fact that if your password were to be hacked, broken or leaked, your account itself would still be secure.
Here’s how this works: If I’m a bad guy and I get your password and email address through, say, a leak online of a badly secured database and you have MFA enabled, I’ll hit a barrier when I try to log in, because I won’t have that additional factor to use. What’s more, you’ll get sent that SMS, or email or whatever the factor is, alerting you to the fact that somebody’s trying to access your account.
One detail to be wary of here is that scammers have used this to try to get access to accounts by sending out “fake” warning notices with links to “check” your accounts, warning that they may be locked down if you don’t act immediately.
That’s classic phishing, but what you should do in every case is find the links yourself – not the ones in emails or SMS – and click through to your service in the usual way. If there’s a problem they’ll let you know that way.