Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Let me in! 10 tips to better passwords
1. Let Me In!
10 Tips to Better Passwords
Marian Merritt
Norton Internet Safety Advocate
Let Me In! 10 Tips to Better Passwords 1
2. Why It Matters
• Passwords protect your stuff
• A good password stops a hacker in his/her tracks
• A good password doesn’t make you crazy trying
to remember it
• A good password strategy = peace of mind
Let Me In! 10 Tips to Better Passwords 2
3. Passwords in the News
•Payment System – 130 million
!
accounts
E D •Gaming site 1 – 77 million
K
accounts
A C •Social site – 30 million accounts
•Military site - 26 million
H accounts
•Career site – 6.4 million accounts
•Dating site – 1.5 million accounts
Let Me In! 10 Tips to Better Passwords 3
4. How the Hacker Uses Your Hacked Password
• Published databases of
usernames and passwords
from major data breaches
• They might already have the
combination of your email
address and favorite
password
• Plus dictionaries, common
phrases
• Keep running the list against
the target site
Let Me In! 10 Tips to Better Passwords 4
5. What Are Some of The Most Popular Passwords?
12345 Abc123 Michael
123456 Monkey Football
1234567 Trustn01 Ashley
12345678 Dragon Bailey
123123
Baseball Shadow
111111
Iloveyou Letmein
Password
Master Blink182
Passw0rd
Password1 Sunshine Admin1
Welcome Qazwsx
Welcome1 Superman
Let Me In! 10 Tips to Better Passwords 5
6. 1. Think Unique
•Not guessable word or phrase
•Different for each site and account
•Some use a few complex passwords and then
one “master” passwords for accounts considered
unimportant
•All accounts are important
•Not password that anyone else would use
Let Me In! 10 Tips to Better Passwords 6
7. 2. No Dictionary Words
• Avoid using full words you might find in a dictionary
• Real words can be “edited” for password use
– Dictionary becomes
•D1(t10nAry (as an example)
• But hackers are “on to” common letter
replacement tricks like these
Let Me In! 10 Tips to Better Passwords 7
8. 3. No Pet Names or School Mascots
• Even if you went to “D1(t10nAry High School”
– Avoid public information
• Children often use their pet’s name
– Friends and siblings hack accounts this way
• Security Questions and Answers should be hard to
guess
– You can use “fake” answers to “mother’s maiden
name” but you’ll need to remember what you used
– Better are sites that let you create your own
questions
Let Me In! 10 Tips to Better Passwords 8
9. 4. Pay Particular Attention to Most Important Accounts
• Email is most important
– “Forgot your password” link on sites goes to email
– Hacker with access to email can reset all other
accounts
• Nearly as important is social networking
– Hacker can run scams against friends and colleagues
• Financial sites and shopping sites with stored credit
cards, too
Let Me In! 10 Tips to Better Passwords 9
10. 5. Create a Pass Phrase and Turn It Into a Password
•Select a multi word phrase that is meaningful to
you (8 words or more)
•Ex: “I want to go to Africa in 2013” – 8 words
•Reduce to letters and numbers or characters
•Ex: Iw2g2Ai2013
•Now you have complex password BUT (see next
slide)
Suitcase
Create a mental Zebra
picture of your
2013
phrase!
Let Me In! 10 Tips to Better Passwords 10
11. 6. Make Unique for Each Account
• Iw2g2Ai2013 – complex but not unique
• At each site, create a variation that you can remember
– For example, add first letter of the site’s name:
• The “N” in Norton.com + Iw2g2Ai2013 = NIw2g2Ai2013
– Or, add letter adjacent to the first letter of site’s name:
• N becomes M (or B)
• M+ Iw2g2Ai2013 = MIw2g2Ai2013
Now you have created a system of UNIQUE and COMPLEX
passwords that you might be able to remember!
Let Me In! 10 Tips to Better Passwords 11
12. 7. Use a Password Manager to Make This Easy
• Even with complex, unique password system, it’s work
to remember them all
• Password manager programs can secure all in
encrypted file, protected by one master password
• Makes life easier while managing complex and unique
passwords
• Allows sync to the cloud, making passwords portable
• Example: Norton’s Identity Safe (included in Norton
360, Norton Internet Security or as free download)
– https://identitysafe.norton.com
Let Me In! 10 Tips to Better Passwords 12
13. 8. Never Share or Show Passwords
• Don’t write them down
• Never email or text them to someone
• If you tell it to someone, change the password as soon
as possible
• Legitimate companies NEVER ask for your account
password
Let Me In! 10 Tips to Better Passwords 13
14. 9. If Notified About Data Breach, Take Action!
• Access your online account and change the password
• If a financial account, monitor transactions for unusual
activity
• If your social network, make sure the email addresses
and contact information are yours and:
– Review your privacy and security settings
– Monitor your “news feed” for unusual activity
– Monitor your friends list for people you don’t recognize
– Review apps that you’ve signed up for and the data they can
access
Let Me In! 10 Tips to Better Passwords 14
15. 9. Install Security Software
• Get a security product for all devices:
– Computers
– Mobile phones
– Tablets
• Prevent password-stealing malware from infecting
your device
• Alert you to dangerous websites or links
Let Me In! 10 Tips to Better Passwords 15
16. 10. Secure Mobile Devices with a Password
• Mobile apps may auto log you in to accounts
• Protect access with a password on phone or tablet
• Remove apps you don’t use anymore that may have
credit cards or financial info store:
– Shopping sites
– Banking and Investment companies
– Travel sites
Let Me In! 10 Tips to Better Passwords 16
17. Summary • Create unique passphrase (no
dictionary words)
• Nothing others will guess
• Customize for each site
• Focus on email, social, financial
sites first
• Use password managers
• Never share or show passwords
• Take action if breached
• Use security software
• Set passwords on mobiles
Let Me In! 10 Tips to Better Passwords 17
A good password keeps your private information private. It restricts access to your accounts to those you trust. It ensures trust in those who deal with you; when they see information coming from your accounts, they know it’s from you. Passwords are more than the keys to your virtual house. They are a constant force of protection, keeping dangerous elements away, as you interact with your information on your computer, via your mobile devices, in the cloud and increasingly to all devices that access the internet. Password strategies vary but you shouldn’t have to resort to methods of madness like writing your passwords down on a pad next to your computer. Or worse, using the same password for everything you do. Learn some tips for getting your passwords in better shape, being able to manage and retrieve them easily and learning to relax when the next data breach comes along.
What’s going on? Hackers have discovered a variety of ways to defeat security to access databases of user accounts and passwords. What’s worse, when the data gets out, hackers often post it for other hackers to use. This means, if your account was hacked, your user name (often it’s your email address) and password get posted in a database that is public. If you are someone who uses the same password for all your accounts, it’s just a matter of time until someone takes your email address and favorite password and gains illegal access to another of your accounts. What if it were your bank account or your social network? How might you feel? Often, consumers are notified when their information has been involved in a breach. Consider those terrible times a kind of gift. A gift to remind you to use better passwords, unique passwords, especially for your most important account. Keep reading to find out which account is the most important one.
Hackers share best practices to keep “upping” their game. From published databases of old data breaches, the security industry is better able to see how consumers fail at creating and using good passwords. Seemingly simple and what should be a minor security step, passwords have never been more crucial in crafting a good internet security strategy.
Recognize some of these as your own? Uh Oh! Time to change those immediately. Others look like a good effort to create a strong password. They replace common letters in a dictionary word with a character or number that resembles it. So you get Passw0rd, instead of Password. But if it’s common, that means hackers have it in their list of passwords to try. Others like “QAZWSX” look clever and tricky. But if you look at your computer keyboard, it’s the left most keys in descending order. And if it’s common? Again, it goes in the hacker’s bag of passwords to try. Your best passwords are not dictionary words, should have eight or more characters that combine upper and lower case letters, numbers and special keyboard characters. I know, “groan”. And worse, it can’t be the same phrase you use over and over which weakens its worth. Your pass code also needs to be customized for each account and somehow, memorable!
If I know you, can I guess your password? If I know the password you used on another account and you use the same password for everything, can I get in to this account? Can I answer your security questions and change your password? Remember what has happened to famous politicians who had their email account hacked this way?
Remember from a few slides ago? Hackers START with a dictionary. And children often use names of pets and schools so those will be in the database too. We’ve got to think as craftily as the hackers.
Public information is everything shared on social networks, like your employers, favorite bands, teams, tv shows, etc. Members of your family (even your mother is listed on there, right?). What about where you’ve lived or gone to school? Avoid this sort of information in your password or security questions.
If the hacker gets access to your email account, they can change the password at every other account you use. Then they’ll go to your social networks, and change all the contact information. That way you can’t recover the account easily. And the hacker can post to all your friends and network of colleagues any scam they are running.
Now to the heart of the matter, creating that magical password strategy. Start with the pass phrase. After you create it and start using it, you’ll be AMAZED how readily you can come up with the characters to type by thinking about the story in your phrase. Here, I’ve created a visual of a suitcase, covered in zebra print with a 2013 sticker on it. Use a mental picture to keep you mindful of your magic phrase.
This is the real magic but takes practice to use properly. If you just add the website name to your phrase, anyone who hacks and gets the password or tricks you into revealing, it will understand your method. For example, “Iw2g2Ai2013norton” is pretty obvious.
I don’t know how people do this without password managers. When I’m logged in to Norton’s Identity Safe, it not only enters passwords for me but offers to save them at new websites I sign up for. It can store my shipping information and credit cards so online shopping becomes fast and easy. And with the data both encrypted locally and in the cloud, I can use my logins when I’m at a friend’s home as easily and securely as I do at home. Whether you choose the Norton password manager or another brand, they will make password management much, much easier.
Should be obvious but many people keep a list next to their computer. Or stored in their wallet. Just a bad, bad idea. If you must store them, password protect the device or the file to add another layer of security. Remember, if you get an email (spam) asking you to login to your account by clicking a link, it might be fake. Don’t do it. And never reply to a text with your account information and password. Go to the actual website on your own and access your account that way.
Notification is usually by email. Pay attention and double check the authenticity of the information on the company website.
Security software is MUCH, much more than just antivirus. And it’s increasingly necessary on mobile devices as hackers learn new ways to trick people on these devices.
Mobile devices are just small computers, capable of doing nearly everything including access our most sensitive and important online accounts. Often with just a swipe or a click of an icon, meaning if I have access to your phone or tablet, I may have easy access to all your accounts.