How to become safer on the internet — Passwords
Covid-19 drove many people home: students who only had presential classes started having online classes, while some workers had to do their job in a remote way. Surely, some individuals could not be more satisfied with this change, while others will feel that the current conditions severely degraded their work conditions. However, this article does not intend to discuss the pros and the cons of the working/academic conditions Covid-19 has imposed. Today, we are going to discuss about cybersecurity and what you can do to protect yourself, since the world was forced to become more digital.
Passwords are one element that you must take into consideration when you want to make yourself secure in the today’s cyber world, both at the personal and professional/academic level. It can be just someone who wants to hack into your Facebook account to say mean things to your grandmother, or somebody from a rival firm who wants to steal sensitive information, or a malicious person that wants to buy stuff with your hard-earned money, or… These are just 3 examples, but certainly you can enumerate more in which you are taken advantage of.
To prevent such situations from happening, you should have different passwords. I reiterate: plural, passwordS. You should have a different password for every service you have. Let us analyze the logic behind this rationale: if you use the password for a forum in which you discuss your favorite games is the same as the email you use to reset the passwords of more sensitive services, you can be in a very problematic situation. When you use the same password for different services, you are as secure as the least secure place where you have used it.
Following this logic, you can be even safer if you use not only different passwords, but also different emails. Essentially, you are modularizing your virtual vulnerabilities. In the case that your most secure password is breached, if it is only linked to one service, further damage can be avoided, because the breached email and password only work in one circumstance, leaving all the others untouched.
Hence, in addition to having different passwords for different services, they should be strong. To avoid debating the technicalities of what exactly is a strong password, I will simply leave you with the general recommendations to be followed to have a strong password. The passwords shall be long (16 to 20 characters), composed of a mixture of upper- and lower-case letters, spaces, numbers, and symbols. Additionally, the password ought not to have repeated characters, words found in the dictionary, usernames or IDs, or known sequences. If you are thinking of replacing certain letters by numbers, you should not do it! Despite being safer than merely using letters, currently there are algorithms capable to recognize such patterns.
In a variety of cases, when you are setting up your account in some services, you are asked to pick one or a couple security questions which will be used if you need to reset your password. In case the questions were already predefined, and you can only pick them to answer, you can make yourself more secure by picking one of the following two options. 1) Either you pick one (or more) question(s) whose answers nobody else could know; or 2) you pick the question(s) you want but you lie in your answers. On the pros side, the first case can be considered better because only you know the correct answer, while the second case can be ranked higher because if you provide fake answers, those who are trying to hack you might know the truth but will end up failing the question. On the cons side, you might forget that more people know the answer, while in the second case you might be the one that forgets which answer you provided. The best-case scenario would be if the service itself asked you both to come up with the question(s) and the answer(s).
Another measure you can take to be more secure is to enable two-factor authentication whenever that is possible. Such measure can take different forms: it can be a text message, an email, a notification, or even an object that allows you to log in into some services. In a world in which your username, email and password are compromised, this precaution prevents the people who hacked you from accessing your account if they also do not have access to whichever second factor of authentication you have enabled.
Lastly, as it is recommended that you have different emails and passwords, which are very likely to be hard to remember, one concern is how to manage them. To solve that issue, you can rely in the old system, that is writing down the password and store it in somewhere safe. Or you can use a password manager, either an online or an offline one. For both systems, you can make arguments in favor and against them. For the online ones, you can have the benefit that most of them are built using very advanced cryptography algorithms and that there is a high integration with several services. On the other hand, you are placing your most sensitive data in the hands of a company, which you can consider as a privacy issue. On the other hand, an offline password manager stores your passwords locally, solving the privacy issue raised before. However, it is not guaranteed that such system was developed using the latest and safest cryptography technology.
In sum, each service you use should be associated with only one email and one password, which should be long, with a mixture of upper- and lower-case letters, numbers, spaces, and symbols. Simultaneously, you should think carefully about the answers to the security questions some services ask you to provide, you should enable two-factor authentication and try to manage your passwords as safely as possible, either completely offline (paper) or with a password manager.
By Miguel Bezerra
