“Never share passwords between sites” and 9 other pieces of advice to secure your accounts

Hardly a day goes by without headlines on significant data breaches. In the past years, billions of accounts from popular services and sites like LinkedIn and Yahoo! have been exposed on the Internet. Also, we’ve seen massive batches of login credentials being sold on the black market by hackers months or even years after the incidents. So what should you do to protect your accounts?

Ten security tips to help you keep your accounts safe

1. In general, sharing passwords between sites is a bad idea. 

If one online service is compromised and the passwords leaked, someone will try to use them on other sites. And if you reuse or share passwords between sites, the password lists from old breaches from several years ago are still useful. Similarly, if you use predictable password patterns, the breaches disclose your thought patterns towards password selection.

2. Protect your email account. 

Many sites allow password reset links or temporary passwords to be sent to your email. And use a different email account for recovering passwords that you do for regular email communication.

3. Always use two-factor authentication when available. 

Many services are offering the additional authentication for you as the person who is attempting to login by sending a randomly generated verification code – in most cases 6 numbers – to your mobile phone. This service adds another layer of protection for your privacy.

4. To make hash cracking more difficult, focus on the length of the password. 

Simple long passphrases are better than complex short passwords that are difficult to memorize. To crack the password phrase ”1 like that you are protecting my Passw0rds”, a Tianhe-2 Supercomputer, one of the fastest supercomputers in the world, would need several thousand centuries.

5. Choose passwords that are not easy to engineer from your life or your habits, and cannot be derived from public information related to you. 

And in general, think carefully what information about yourself you share online. Online brute force attacks can be prevented with difficult-to-guess passwords.

6. Choose passwords that are not embarrassing to you – if plaintext passwords are leaked, or the hashes are cracked, the passwords can be out in the open.

7. Use password managers that help you to generate difficult and long enough passwords.

By using the password generator functionality included in most password managers, you don’t have to think up passwords yourself – the tool does it for you. With the most advanced tools, you can generate passwords as long as 32 characters that are randomly generated and practically impossible to hack. If your password is strong enough, the only possibility to get your data stolen is a plain text leak.

8. Sign up for an alert service like Have I Been Pwned?  

They’ll notify you if your email is found in a breach so you can quickly make any changes you need to.

9. Stop browsers from remembering your passwords.  

As you navigate through Chrome, Safari, Firefox, or whatever your browser of choice is, you’re often given an enticing option to save your password. If you answer yes, you’re taking a risk.

10. And as the last rule thumb, when you’re using fingerprint recognition, use a finger that you don’t usually touch different devices with.  

In other words, use for example your little fingers or thumbs as opposed to index fingers for biometric recognition.

What do the attacks look like?

There are several different types of attacks that are targeted to get access to user account and passwords. Here’s a list that explains some of the most commonly used tactics.

Online bruteforcing attacks

Attacks where the attacker tries to get access to your account on an online service by attempting to log in with different passwords, usually using a list of commonly used passwords or generating those based on public information related to you.

Hash cracking

If the attacker has gained access to the password information of an online service but they are stored in a hashed format, the attacker needs to crack them. This is done by calculating hashes with tools such as hashcat, and comparing whether the resulting hash from a guess matches the hash from the password file. Powerful GPUs can be used for this purpose.

Social engineering and phishing

An attack type where the attacker tries to lure you to a malicious website, which looks like a real login page of an actual service but will in fact send the passwords to the attacker. Alternatively, the attacker may ask you for the password or answers to your security questions, if there’s a password reset functionality.

Attacks against password reset questions

The attacker tries to answer the password reset questions using publicly available information about you.