Taking Back Control — A Guide on Handling Online Credentials
In today’s digital age, credentials (emails, login IDs and passwords) are essential entities and are used daily. With so much of our information (personal, financial and other) stored online, it is crucial for many to step back and re-evaluate how we are maintaining these login details.
In research conducted by NordPass, it was discovered that the most common passwords used across the globe are still as simple as “password”, “123456”, “qwerty”, “iloveyou” and so on…
Using such passwords can jeopardize one’s digital security and cause trouble if someone somewhere decides to attack them. The question “Why me?” might come to you, but sometimes it is as random as that. Maintaining the same password for all your accounts makes it even easier. Hackers (unethical ones, that is) use a variety of methods to obtain passwords, including phishing (tricking you into entering details on a fake site), keylogging (recording all keystrokes), and brute force attacks (entering and testing out all possible combinations). Once they have your password, they can access your accounts, steal your data, and even commit identity theft.
Using easily guessable passwords with little to no variation can cause many issues. Even if you manage to set a difficult and complex password, your troubles don’t end there. Keeping a strong password won’t help you if you are not digitally aware. However, it is helpful for simple attacks, called brute force attacks, and here’s how…
Maths Behind Passwords
Note: If you are uncomfortable with calculations, you may skip this section. However, you can glimpse through the numbers (provided in the last paragraph) and have a superficial understanding of the same before doing so. Alternatively, you can watch this video on Khan Academy.
Currently, most passwords allow two major types of characters — alphanumeric and special characters (or symbols). We can break it down to the following types:
- Lower case alphabets (a to z)
- Upper case alphabets (A to Z)
- Numeric digits (0 to 9)
- Special characters ( ! , # , $ , % , @, _, etc.)
Note: Generally, non-ASCII characters are not allowed for a password.
Most websites will provide you with the minimum (and maximum if there’s any) length of the password and ask you to provide a minimum of the above four, e.g. “Your password must contain 8–16 characters and have each of the following: 1 lowercase letter, 1 uppercase letter, 2 numbers and 1 special symbol”. Some even have a strength indicator, which shows the overall strength of the password.
Simple is not Better
We will be using a little bit of knowledge of grade school, specifically Combinatorics, to understand why having all of those four types in your password will help to keep your secured data safe.
Let’s consider a password of length 6, which is the minimum permissible length on most sites as of today. There are 6 spaces to place characters:
_ _ _ _ _ _
In each of these 6 spaces, we can put any one of those 4 entities mentioned above. Let us first start with the biggest no-no passwords — all numeric or all alphabetic ones. There are 10 digits (0–9) and 26 alphabets of each case (A-Z or a-z).
For a numeric password, the possible permutations possible of length 6 using these 10 digits, with repetition, is 10 ⁶ as follows:
0 0 0 0 0 0
0 0 0 0 0 1
0 0 0 0 0 2
…
0 9 9 9 9 9
1 0 0 0 0 0
1 0 0 0 0 1
…
…
9 9 9 9 9 9
Note: A simple way of calculating is (number of options for first block) × (no. of options for 2nd block) × … × (no. of options for last block), which in this case is 10 × 10 × 10 × 10 × 10 × 10 = 10 ⁶
Regardless of what numbers you choose, a hacker using a brute force approach (usually with some automated software which tries all such combinations till one of them passes) will easily crack your password. 10 ⁶ or 1 million such calculations take less than half a second, given that modern computers can handle billions of operations per second.
While using alphabets of one specific case (upper or lower) only, it will increase to 26 ⁶, which is high but not high enough for a computer. The same list will look like:
a a a a a a
a a a a a b
…
b b b b b b
…
…
z z z z z y
z z z z z z
Upping the Ante
Now let’s try involving more than one type of input. Using lower case and upper case alphabets together increases the number to 52 ⁶, as we have 52 different choices for each of the 6 places.
Note: Increasing the password by just one character makes it 52 times (52×52 ⁶ = 52 ⁷) as hard to crack it.
Making it alphanumeric turns the heat up a notch — increasing to 62 (52+10) choices per place. A 6-digit alphanumeric password will require parsing 62 ⁶ permutations.
Enter special characters…
What makes these characters so special (don’t quote me on this) is the fact that they can make the password so much harder. Most websites allow a specific set of special characters (which they will mention while you create your account or change the password) but the thumb rule is to use whatever symbol is available on a standard US layout keyboard (sorry, rupee symbol ₹ ). Remember — what symbol you use doesn’t matter — it’s the length and variety of the final password that matters.
Introducing just 10 symbols in the possible set of inputs will increase the number to 72 ⁶, while 10 more would make it 82 ⁶. Increasing the length of such a password to 8 makes it 82 ⁸, while further stretching it to 10 will make it 82 ¹⁰. That means a hacker will have to go through almost 13744803133596058624 possibilities to crack your password.
In summary, a 10-digit password containing numbers, alphabets and symbols is almost trillions of times harder to crack than a 6-digit password containing only numbers.
Creating Passwords
Your name is John Doe. You were born in the summer of ’69, your mother’s name is Martha, and your father loves to shout at you… The first idea to come to your mind for a strong password might be “JD1969Martha!!!”. While the math checks out, someone with knowledge about your personal information might have their hands on such information. Anybody having your billing data or bank details will easily get their hands on such basic details. That is why security questions are usually ones whose answers are not supposed to be easily found as recorded data anywhere — something that is becoming increasingly difficult in the era of social media.
Regardless, your passwords should not be constructed from any personal data, however secure and niched it might be. Sure, the chances of being hacked are less, but it will get clearer when we discuss some of the ways hackers really hack your account…
Then how do you create passwords which satisfy the security constraints as well as contain no information about you? One option would be a password generator — a tool that randomly generates passwords based on the criteria you define. Some examples would be Norton Password Generator or Bitwarden Password Generator.
Almost every password-managing software will have its password generator available for free online. Their password generator pages simply act as a sneak peek into the real deal — the managers. We will talk about Bitwarden’s soon…
These passwords should be unique for every account you own. Never use the same password for multiple accounts, as compromising one of your passwords will put the other accounts in danger too. Given that most of us are logged in on hundreds of thousands of sites, it is simply not possible to remember all the unique passwords we set for each. This is where a password manager comes in…
Managing Credentials
Password Manager Software
A password manager is a tool that securely stores all your credentials in one place. Most have an in-built password generator and can automatically fill in these stored passwords when you log in to your accounts.
Note: Some managers can even automatically log in, but it is discouraged to keep this setting on.
Password managers require a master password. It is the single point of entry for most of the managers out there. Some also offer alternative ways of recovery in case you lose your master password. In case that is not the case, the master password needs to be stored somehow that cannot be easily accessed by anyone except you — preferably offline.
These tools never store any data without encryption, and no one (not even the employees of the software company) can steal it. It is impossible to reverse engineer the encrypted credentials stored by password manager software. Even in the case of a data breach, it will still be insanely difficult to hack your password.
Two commonly used password managers are Bitwarden (open source) and DashLane (proprietary). Both are freemium (free+premium), i.e., offer a free version and provide additional features at a price. Others like 1Password, Norton and NordPass (proprietary), and KeePass, Padloc and Passbolt (open source) also exist.
Bitwarden is an open-source software, which offers a standalone app for mobile and desktop as well as browser extensions for most popular browsers. It offers password generators, import, auto-filling, auto log-in and all other security features. The premium version offers physical key login, health reports and priority customer support.
Dashlane has all the features that Bitwarden has but its premium model has emergency access methods in case of master password loss, in-built VPN (for safer browsing) and dark web monitoring (to detect and warn about leaked passwords). You can find the detailed comparison here. The gap between the two has widened and closed in the past years and will continue to do so…
Bitwarden is considered to be easier to implement and customise and offers better data integration as well as wider compatibility. The software code is open to all and this makes it more transparent. It can be self-hosted and even comes with a CLI (pro-people terms). It is compliant with multiple regulatory bodies and has even been audited by third parties. This makes it the best option for a free password manager.
Browser Built-In Password Manager
Most browsers offer to save your passwords and is synced across devices via some account, e.g., Chrome uses your Google account, Edge uses Microsoft and Firefox uses Mozilla. It is apparently quite secure, as claimed by their parent organisations, but in case the parent account gets hacked, you lose everything. If your Google account is secured only by a password, a hacker who somehow gains that information can use it to access all your Chrome data, including your history and passwords.
Note: It is a good practice to log out of sessions, clear history and cookies from time to time. Setting up the browser to remember passwords is not a good idea — let the password manager take care of that.
Offline Password Storage
It is not a good idea to store your password in your online store because of the same reasons as the browser. Also, the online storage itself will require credentials. However, a lot of folks out there, including most of the elderly, prefer writing down their passwords in a good old fashioned way — on paper. The danger of prying eyes and eavesdropping ears is always there. This can also be switched to secure note-taking apps and other software that doesn’t store data online.
Note: If the other options generate ambiguity, password managers are the best tools for storing passwords. The only thing that is better is a physical hardware key, but it has its disadvantages for the common folk.
Beyond Passwords
“The dark side of the Force is a pathway to many abilities some consider to be unnatural.”
While measures in security are improving, ways to counter them are also evolving. Think of them as viruses adapting to the medicines you have… after a while, those same medicines might not work on them. This pushes us to have extra checks in place so that passwords are not the last line of defence and there’s a plan B in place…
Enter two-factor authentication (2FA); which is basically a second layer of verification on top of entering your password. This can be as simple as a one-time password (OTP) sent via call or text message to your registered phone number to enter a special thumb (or pen) drive which behaves like a physical security key (called hardware key). Most sites have multi-factor authentication (MFA) options available in their security settings and you just need to enable and choose the relevant option(s). Having multiple options is safer in case one of them fails.
One of the most popular options is to use an authenticator app. This generates a unique token, which is renewed after a fixed period. This code needs to be entered for successful verification. Adding this layer of protection makes it even more difficult to hack as the hacker needs access to both the device (having the authenticator) and the password.
Note: Hackers might try to access OTP or 2FA login code somehow. None of the methods are foolproof and you need to be very careful…
Other methods include biometrics (fingerprint, facial recognition) and push notifications (receiving a notification on a device or scanning a QR code via an already logged-in app). Many sites have even made MFA mandatory and offer special perks if you use it.
You should also aim to change your passwords after regular intervals (every few weeks or months) to ensure they stay secure. Even if your passwords are leaked, there is a chance that they have not been discovered and used to attack your accounts and this might just be the saving bell. Some password managers remind you when it’s time to change your passwords and show how old each password is. Automatic password rotation is implemented internally within a lot of applications.
The Opposition
Modern-day websites rarely allow multiple sign-in attempts. They either send a notification to the account owner after the first attempt, enter a cooldown period, check if you’re a robot, or have some other security check in place. Hence, it is paramount to be digitally literate and know about the ways you might be compromised by hackers. Here are a few (known) ways hackers can access your digital world…
Brute Force and Dictionary Attacks
We have already discussed the brute force approach and how to prevent it. A dictionary attack uses a list of common words or phrases which, in conjunction with a brute force attack, simplifies the process. This is the very reason personal information like name, date of birth, family member names, parts of the email or login ID and other information should not be present in a password.
Phishing and Social Engineering
This is a method where a hacker creates a fake login page that looks like the real deal. You enter your password on the fake page, and nothing (or some redirect) happens. Unknowingly, you have just given access to that account to your hacker. Be mindful of the site name (the one in the address bar, known as URL) and be careful while filling out forms.
Social engineering is another way where you are tricked into revealing your password after ‘being social’ and building your trust. Asking for OTPs and other sensitive information are examples of social engineering.
Note: If you’ve clicked on any of the links in my article, have you checked what the link is before clicking or do you trust me that much? Hovering over a link shows the target URL in your browser and you should never redirect to an unknown one. (In phones, long pressing a URL will perform the same behaviour.)
Keyloggers
Keyloggers are tools that can be used to record keystrokes, mouse clicks and even clipboard content. It quickly found purpose in the cybercrime nature and hackers use such software to remotely fetch information after planting their keylogging software in the victim’s device. This can come from a malicious app download, link opening, etc. Always investigate links from untrusted sources and unknown websites. Avoid storing information on easily accessible places like online drives and text files and documents. Keylogging software can not only send all this data to its makers but also significantly harm or alter your device, e.g., one of the first things it does on a Windows machine is disable its task manager and control panel so that you have no way to remove it without a clean system install.
Free VPNs
A virtual private network or VPN creates end-to-end encryption between you and your target link, bypassing restrictions set by your provider, country, etc. Many people hence tend to use free VPN services, which may not have the same level of security and encryption as a paid one, making your internet traffic vulnerable to interception and monitoring. Additionally, free VPNs may sell your data or use it for advertising purposes. The data you lose in such a way is much more crucial than the money that will be lost behind a paid VPN.
Choosing a reputed VPN, in combination with the above password and MFA practices, along with a strong anti-virus (with web protection) can help ensure that your online accounts and personal information remain secure.
Are You Safe?
To check if you are safe, you need to scour the web (and the dark web) for possible data breaches with your credentials exposed. Fortunately, there are many tools that already do this, and the only thing needed from your side is the username or email ID. Here are some sites to look out for…
- Have I Been Pwned: simply checks for data breaches
- Identity Leak Checker: checks for breaches and reports type of breach and type of data involved
- Google and Firefox Password Tools: checks the strength and security of passwords, reports data breaches (requires sign-in)
Resources
Here are some additional resources to keep your online health (and offline sanity) intact:
- Cybersecurity Services and Tools: These are free online security tools, including a phishing campaign assessment, ransomware readiness and vulnerability scanning tools, by America’s Cyber Defense Agency, CISA.
- OWASP ZAP or Wireshark: These are website scanners that can be used to scan for vulnerabilities and other security issues.
- Malwarebytes: It is a powerful anti-malware tool that can help protect your device against various types of malware.
- Bitdefender: It is anti-virus software, which, along with Malwarebytes, its presence will provide all-around protection to your device.
- F-Secure Online Scanner: This is a free tool for those looking for an online alternative to a couple of the above options. However, an offline service is better as, with admin privileges, it can search a lot deeper.
- Paid VPNs like Proton and Nord: As discussed earlier, VPNs can help protect your online privacy by encrypting your internet traffic.
- VeraCrypt: It is a free, open-source disk encryption tool that can help you secure your data. This will allow you to store passwords on such disks too!
Note: Modern operating systems come with in-built own drive encryption tools. - Privacy extensions and ad-blockers: Browser extensions that promote user privacy by blocking third-party cookies, tracking requests and other online threats should be installed for additional safety. Some examples include uBlock Origin, Privacy Badger and DuckDuckGo Privacy Essentials.
In conclusion, taking control of your credentials is an essential step in protecting your online security and privacy. By following best practices such as using password managers which generate and maintain strong passwords, regularly updating said passwords and keeping them private, and enabling multi-factor authentication, you can significantly reduce the chances of a cyberattack. Additionally, it is advised to stay vigilant and aware of ongoing trends in cybercrime and use tools to monitor and protect your online security. In no time, you can take back control of your passwords and enjoy a safe and secure online experience.
