Using strong passwords and keeping your online self secure

Earlier today, eBay issued a press release letting users know that a cyberattack "compromised a database containing encrypted passwords and other non-financial data." Users will be asked to change their passwords just in case, though they noted that eBay "has seen no indication of increased fraudulent account activity." This is sadly just one of many attacks recently, and something that won't be going away anytime soon, if ever.
Attacks like this are nothing new, over the years plenty of big-name sites have become victim to similar cyberattacks. Retial chain Target has been all over the news lately, and there's also vulnerabilities like the recent Heartbleed Bug that affected Google, Facebook, Yahoo and dozens of other sites.
As we go further and further, putting more and more of our personal information and lives online, it's even more important to keep that data safe. Your personal life (and data) is strewn out across the web in more places than you really know, so keeping what you can private and safe is more important now than ever before. At Mobile Nations we've always been big on security and keeping yourself protected online, but what are you really doing to make that happen?
Hack me once, shame on me
I was never big on passwords. In fact, the two passwords I used for everything were ones that were given to me by my original ISP nearly 20 years ago. I memorized them at the time and since they were a random jumble of letters and numbers, didn't give much thought to using anything else for any site. These were my go-to passwords, one I used more than the other, but I never considered just how bad of a practice this was until the day I almost lost my Gmail account.
A few years back I woke up to a slew of password verification notes from Google, and I instantly dove into a panic. I scrambled to login to my account with no luck. After a few hours of work, I managed to reclaim my account. I noticed that all of my account info was changed by the hacker, and the sent spam messages that numbered in the hundreds. I then realized that if finding my password here was this easy, I was extremely lucky it wasn't taken to the number of other sites that all shared the same password.
It was then that I started using a password manager and spent the next few days making sure my passwords were different across all of the sites I frequented. I only had to remember my master password, which I made so long it took me over a week to memorize. Since then I've had no issues with hacking and I've been sleeping soundly know that my online life is (mostly) safe.
Two-factor Authentication
Recently I've even taken things a step further by enabling two-factor authentication (or two-factor verification) where available. I use this now across all of my Google accounts as well as other services like Facebook, Twitter and Dropbox. Two-factor authentication adds an extra layer of security to your accounts, requiring you to enter a code provided either in an app (like Google Authenticator) or as a text message. The ensures that only you can get into the account, even if someone has your password.
Password Managers
The best bet for keeping your passwords secure, while also keeping them organized, is a good password manager. There are a few options available depending on your platform, but all are great choices and offer values far beyond writing all of your passwords down in a "safe place".
- LastPass (opens in new tab) (Android, iOS, BlackBerry, Windows Phone)
- 1Password (opens in new tab) (Android, iOS)
- Dashlane (opens in new tab) (Android, iOS)
- mSecure (Android, iOS)
- Roboform (Android, iOS)
Strong Passwords!
If you're not up to using two-factor authentication or a password manager — at least use a strong password (opens in new tab). Mix up numbers, lowercase letters, capital letters and special characters. The longer the better. And never use the same password twice. If a hacker does track down your password, the last thing you want is for them to have access to all of your accounts, just because you used the same password across the board. Stay clear of using passwords like your kids name, birthday, anniversary, "1234567", or the ever popular, "password". Apps like LastPass even offer a secure password generator so you don't have to do any thinking on the matter.
Are you using a password manager to cover your bases? What are some of your favorite tips for staying secure? Hit up the comments and let us know!
- Read more on keeping your online self secure
Get the Windows Central Newsletter
All the latest news, reviews, and guides for Windows and Xbox diehards.
Getting his start writing about BlackBerry in 2008, Adam is the Editorial Director of High-Yield content at Future. Leading an outstanding team, he oversees many of the articles the publisher produces about subscriptions and services – VPN, TV streaming, and antivirus software. From buying guides and how to watch content, to deal news and in-depth reviews. Adam's work can be seen on numerous Future brands including TechRadar, Tom's Guide, T3, TTR, Android Central, iMore, and Real Homes.
-
Enpass Password Manager.
-
yup this one seems straight forward, no subscription fee, and easy to use
-
Yes. Enpass. +1520
-
Thank you
-
LastPass works amazingly
-
I was a doubter until I tried it, now I swear by it. The best part about LastPass is that it is on everything I use daily.
-
LastPass is awesome!☺
-
I use Lastpass. I am also a subscriber for it. $12 a YEAR for really good service. I was a long time user already, and recently got the subscription. For me, its worth it. I'm on Lastpass like everyday.
-
Did this article have anything to do with me asking if wpcentral had ever written an article on security apps? ;) probably not. #eBay article
-
Keypass and 7pass work together with Windows phone and Windows 8.1.
-
Yes. This is a really good combo with onedrive
-
One more happy user of this combo!
-
Mee threeee
-
Do all variations of the LoveSecretSexGod tip still apply? =P
-
I used mostly two way authentication and app password security in some apps like tumblr,facebook. I think adam you should mention about it too
-
Password managers are great till it get hacked...
Life of living on the grid -
My thoughts exactly. Single point of failure is never good.
-
Most store data using encryption that never leaves your computer. So LastPass could get hacked all day long and the hacker wouldn't get anything useful from them as long as you've used a secure master password.
-
Use numbers but not by replacing E with 3 or things like that. Also, in case of MD5, you can check if it's already decrypted. For example 1q2w3e4r can be easily decrypted.
-
This is quite funny, I just been switching to LastPass over the last few hours. Looks to be a great and very secure service for just a buck a month!
-
Tried LastPass...wasn't impressed. I've been using Password Padlock. Its available on WP and Win8. In addition, you can upload an encrypted file to your OneDrive with your password info , and download it, so it makes synchronizing the WP and Win8 apps easy.
-
Tried LastPass...wasn't impressed. I've been using Password Padlock. Its available on WP and Win8. In addition, you can upload an encrypted file to your OneDrive with your password info , and download it, so it makes synchronizing the WP and Win8 apps easy. Also, it can create passwords for you, though it seems to only use 6 characters, so you have the option of adding to it
-
But if you use a password manager and that get's hacked. Doesn't the hacker have all your passwords then?
-
Yes, that's why I wont use one. Its safer just to write your passwords on a piece of paper and keep it in a safe place (like in a safe with your passport)
-
So you carry around your safe with you all the time? Makes sense.
-
No, I just refer to it if I forget a password. There's some sites I don't access that frequently.
-
I see your point, but how do you remember a unique (strong) password for each and every website / credit card / phone bill / blog / forum / computer login / etc.? The point behind a password keeper is to store each unique password in an encrypted file. This is because you should NEVER use the same password twice. For example, I have over 15 passwords just for my work place alone, and countless for my personal life. If I use the same password for all of them (or even most of them) I'm putting the entire works at risk of one successful hack. If each password is unique there would be no way I could ever remember them all, and although I do print out a list and keep it in my safe with my passport, this is useless to me when I'm away from home. Hence the password keeper. Would you rather one successful hack giving up the password that you use on 10 different sites, or the password used on only the site that was hacked? There is no such thing as secure, period. All you can do is minimize the security threat. A password keeper is one way to do this. Create a very strong master password that only you would know and can remember. Don't use your master password anywhere else, and then lock the rest of your UNIQUE passwords in a password keeper. This way if one of your passwords is found out by someone hacking an online database, they can't open up your entire life. Since you only keep your master password in your head (with a backup copy in a safe if you're the forgetful type), no one can hack your master password.
-
That's why I first used hashapass.com and later created the hashapass app for Windows Phone. It generates, but does not store, a strong password based on a parameter and a master password. All you need to remember is a parameter (e.g. the name of the system/service) and the masterpassword. Given those, hashapass generates a password for you. Works for me.
-
I use LastPass and have two-factor authentication activated. Without my phone, no one can get in. Allegedly.
-
The big word here is "if". Yes IF it gets hacked, and "if" they could decrypted your database file, they would have all of your passwords. But it is more likely they would hack some other website to get your password, then use that password to unlock the other sites you used the same password on. Which option is more likely to betray you? Well, lets see... If you use the same password on one site that gets hacked, and on... your bank account for example, the hacker now has access to your back account without having to hack the much higher security bank. It's hard to explain using text alone. All I can tell you is there is no perfect solution, all you can do is reduce the chances of some random site leaking a password that gives the hacker access to the rest of your life. The best way to do this is to not use the same password more than once... ever. If you follow this advice, you'll quickly realize that you have hundreds of unique passwords, and you'll need a way to keep track of them all. Hence a password manager. Used correctly, a password manager is quite secure. Certainly more secure than some random website you gave your password to.
-
I've been using Roboform for years and it works great. And even though this article says it's only Android and iOS, there is a WP app also.
-
Having the strongest passwords possible won't prevent you from what happened with ebay - the hackers just downloaded the whole list. The best protection is changing your passwords more often.
-
It's not entirely true. The hackers have the encrypted password list. Your password strength (or more specifically, your password length) will help determine whether or not your password can be retrieved from that.
-
Longer, more random passwords are much harder to crack. Most password discovery is done by utilizing word and leaked password lists, and combinations thereof. The longer and more random your password the better, because if a password is truly random the only way to crack it is brute force -- no password list is going to be effective. 12 characters of truly random characters like KBn1ZNukij7o is effectively impossible to crack, as brute forcing (even on the fastest computers) would take millions or billions of years. Changing passwords frequently basically does nothing for security unless hackers are using an old leaked password database (which they don't). Most security experts are recommending that sites NOT enforce frequent changes these days because it just causes people to use passwords which are easier to remember, and are therefore inherently insecure. Learning to remember KBn1ZNukij7o as your password one time is far more secure than using MyPassword01, MyPassword02, MyPassword03, etc. no matter how often you are forced to change that password. The only cases where changing a password helps is when users have shared passwords with others, or a database has leaked. Otherwise it's actually a bad idea to ask users to change their passwords since it encourages people to create passwords which are predictable. The only things that matter with passwords are length and randomness. Read these articles for a little more insight... http://arstechnica.com/business/2011/10/when-passwords-attack-the-proble... http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-ou...
-
^920 this, makes a lot of sense. has anyone mentioned passpack.com? it's great.
-
LastPass all the way. Added a YubiKey and I'm super secure now. Last I checked, the security rating test that LastPass can perform on your account had me in the 97th percentile. LastPass is a great tool.
-
I use LastPass, too, with the autenticator app. It's kind of quirky sometimes, but works for me (I don't use metro version of IE). And for $10 a year, the price isn't bad, so I pay it so I can use the mobile app.
-
I wish Lastpass would just integrate with IE11 Desktop and Metro version. Makes my life across devices secure and hassle free.
-
Trouble with that (and I can see why you would want it) is that its a plugin Plugins=bad No more flash. No more Silverlight. No more ActiveX. No more Java VM. They must all die, and the web must be clean and beautiful and HTML5 only. We will never have a fast loading web agnostic across devices without that. Metro IE is beautiful, and am using it to type this. Its free of any cr*p round the screen. Its fast, and so far more reliable thatn IE desktop or Chrome (I can kill Chrome with only 8 to 9 *cough* webcams open ;) and you all know what i mean) Viva la plugin free web
-
I don't want it as a plugin. I meant Lastpass be bought and just become a functionality of IE itself. (Integrate with IE completely). I don't mind losing the Lastpass name, as long as I have the same service then I'm happy.
-
Well the alternative is remembering passwords yourself. You shouldn't ever trust the password storage features of browsers. It's trivial to get past it in every browser today. (That's why new browser installers and password manager plugins can import the passwords you've stored in your browsers.) I have a lot more faith in the plugins. At least they're using industry standard encryption technologies.
-
Why use an App over a note/memo in your phone? Assuming your phone is locked and safe. Seems safer, TBH.
-
I do this, great minds think alike!
-
Yeah I do this for certain accounts. But adding an extra layer by encrypting it which I decipher using my mind. Not the most secure but better than having it out in the cloud.
-
And what law makes a password manager totally safe and unhackable...?
-
I'm pretty happy with LastPass. Signed up last fall after Dan showed me how awesome it was on our flight to Abu Dhabi.
-
1PassWord works fine on my Windows Phone and on my Windows Desktop.
-
1password works fine for me on Win 8.1, WP8.1, IOS 7, and OSX
-
Two-factor authentication adds an extra layer of security to your accounts, requiring you to enter a code provided either in an app (like Google Authenticator) or as a text message. There is also a native WP8 app in the store that works with the services listed as well.
-
Microsoft's Authenticator actually works with your Google account.
-
The sad part is now that we have all these apps on our phones, it's an absolute PITA to type a reasonably secure password.
-
Some things that I do are replace the letter s with $, H with #, o with 0, a with @, and other things. Also, like always mentioned, capital letters and numbers in the mix.
-
They are already on to this. Read an article on Ars Technica where they showed how easily a dictionary attack can break through these kinds of tricks. If the stolen database is only hashed with MD5they can try millions if not billions of passwords, including such letter swaps, in a few hours.
-
If you use a common word like shout ($#0ut) then yes it could be easy to break. But if you use multiple random words with capital letters, special symbols, numbers, lower case letters then it won't be so easy for them to guess.
-
The advice I give to people is to take a word they find is easy to remember, replace the vowels with numbers and add two symbols which they find easy to remember and insert them into a pattern. Then take another symbol also which they find easy to remember and place that in beginning, middle and end of the word. Write this down, memorize and once confident it's memorized - shred the paper with other rubbish.
Personally i use capital letters and spaces as well in a mixture, unfortunately though some websites don't accept symbols, spaces or capital letters. -
http://www.wired.co.uk/news/archive/2013-05/28/password-cracking and now, they can add your method to their heuristics.
-
Awww crap lol, Edit: thanks for the link... I guess i need to come up with something else now T_T and will keep that to myself.
-
That methodology is too easy to crack these days. http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-ou... This story ought to scare you into a new way of generating passwords... like using a utility to generate truly random passwords. Even when you think you're being clever, hackers have probably already thought of the same thing.
-
Should we be worried if apps sync our password data with SkyDrive ? What if the information is intercepted while syncing with any online drive? Also, isn't it pretty much a "Trust us" sort of thing with the devs if these apps to not have a back door into our info?
-
It is a shame Microsoft doesn't allow Passwords with more than 15 letters...
-
Didn't they remove that limitation a while back?
-
Not for Microsoft accounts or Office 365
-
Lastpass for me
-
Remarkable that there are so many LastPass advocates when LastPass was among the most prominent that was affected by HeartBleed. Change strong passwords periodically as previously mentioned is the best strategy.
-
Where did you get that information? LastPass data is encrypted in such a way that not even they can decrypt it -- they don't have access to the decryption key. Everything is decrypted locally using a key that is based on your username and master password. Since they don't ever store (or even transmit) your master password, even they don't ever have a way to decrypt the data. HeartBleed would have had no effect on your data with them whatsoever. So even though they did use a vulnerable version of OpenSSL, anything that might have leaked would be completely useless. It would just be random garbage to anyone without your username and master password, assuming of course that enough of that data had been seized, recognized, and pieced together in the first place before attempting decryption. To the contrary, they have been one of the more proactive sites about finding and notifying of HeartBleed issues. They've even setup a site (https://lastpass.com/heartbleed/) to help you know if your password needs to be changed based on the HeartBleed aftermath. They made a pretty comprehensive post on their blog about it... http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html
-
I started using LastPass a few weeks ago, and I like it well enough. One thing I don't understand is that it is free via the web and Windows 8 App, but they charge for the Windows Phone App, which is much less functional. I don't get that at all.
-
Roboform has a Windows phone app too
-
Easy password
-
I use both LastPass and two factor authentication for my security needs.
-
lastpass needs to add its autofill support on WP8.1 and win 8.1 apps
-
Mindspring password from 20 years ago?
-
Does Microsoft have two step verification with just using cell phone and not the long digit password?
-
Using both LastPass and two-factor authentication on every site that supports it (including sites that I build).
-
Lastpass ftw
-
I copy and paste from Lastpass in my WP. I can't even tell you what the majority of my passwords are as Lastpass auto generated for me
-
RoboForm is available on a lot more than you list lol
I used to use it and loved the ' to go' feature (usb key).
I switched to LastPass because at the time RoboForm lacked a Windows phone / modern app, and I can't be arsed to switch back now they do.
So, that makes it x86, modern, Windows phone, android, IOS just of the top of my head. -
What good are strong passwords if businesses keep leaving the back door unlocked so hackers can swoop in and steal the databases. Back when, guessing passwords was an art. Now it's easier to just lift the whole file. Less work, better return. This can only be solved with bullets.You know what they did to horse thieves in the wild, wild west. We need some of that to stop this thievery.
-
LastPass is the big kahuna and very secure. LastPass Enterprise is even better, with real SSO, shared folders of sites to share across teams of users within the same company or even to external groups and SAML capabilities for integrating with cloud services like Office 365, SalesForce, DropBox, Box, etc. Additionally, it has extremely granular policy-based controls for true administration across every browser, every PC, every Mac, and every mobile device. Finally, it can integrate with ActiveDirecrory, so disabling a user means automatically blocking access to every single site, product, etc across all computers and mobile devices. It's an admin's dream, really. This is not to speak of the secure note capabilities, credit card storage, and work/business/other profiles that can fill forms including those credit card numbers. Try it out, you wont be disappointed. I've used the personal product for many years and the company I own now deploys the enterprise product across our client base. It's good for you, America! :-)
-
Even on Windows Phone?
-
Yes, even on Windows Phone. ;-)