It's pretty hard to tell if someone is who they say they are online. We can't check your passport, ask a friend if they know you or even look to see if you're the really tall one with a moustache.
Instead, we have to ask...for your password.
Love them or loathe them, passwords are the best way we've got of working out if you're really you. They're all that stand in the way between your bank account, emails and social media account, and the online baddies trying to take them from you.
But there is a problem. You have to use your passwords all the time. So it's all a trade off between convenience and security. It's the balance between using a thousand character random password to login to check your emails and using 123 for every online account you have.
Setting passwords
1. Make your passwords long and complicated
Programmable computers were developed by the brains at Bletchley Park during the Second World War to run through enormous numbers of possible combinations of letters and numbers to help crack the daily settings for the German's Enigma cipher. So, think what computers might be doing today, 70 years on, to try and break into your online account. It won't take them long if your password is...password.
Stick to a totally random set of letters and numbers, about 10-25 characters long. Don't use any recognised words or keyboard patterns, such as 1qaz (swiping your finger from 1 to z on the keyboard isn't as original as you may think!). The more important the account, the more characters you should use.
But how to pick a password? There are plenty of online generators that will help you, or you an just close your eyes and hammer the keyboard!
2. Never use the same password twice.
Websites get hacked. You'll have heard in the news about countless huge sites having their users' data stolen, which may well have included your username and password.
So however hard you try, you may well end up with someone out there knowing your password. But what if that password is used elsewhere too? Then you've not only had the key that opens your front door stolen, but it's the key starts your car too.
If you don't use a unique password on every site, start doing so. And start doing so now.
3. Use Two Factor Authentication
More and more sites are offering Two Factor Authentication these days, including Google, LinkedIn, Facebook and Twitter. Amazon will be rolling it out soon too.
Two Factor Authentication means you need two pieces of secret info to login to your account - your password and a number. The number is usually sent to you by SMS when you enter your password or displayed on an app, such as Google Authenticator. The number expires within minutes of being sent. The whole idea is that there is more certainty that it's you logging in, because not only do you know the user's password, but you've got access to their phone, so the chances are even higher that you are who you say.
This is a great feature. You'll have to actively enable it on your accounts, so go and check if you can setup Two Factor Authentication on your key online accounts.
4. Use dedicated emails for important accounts
If you're being really careful you could setup dedicated email addresses for really important accounts, like banking. Remember, all accounts have the Forgotten Password facility, so if someone can access your emails easily to reset your password and login as you, you've undone all your good work. Setting up an account that autoforwards to your normal email and can't otherwise be accessed is a good way of hiding your actual email address and keeping things more secure.
Remembering passwords
You've got your well chosen passwords that will make it harder for people to try and impersonate you online. But how on earth do you remember them all?
1. Offline password manager
KeePass is an open source password management program. Your passwords are stored in a vault on your computer, accessed by a master password. You only need remember the master password, so you can set long and complex passwords for all your accounts in the vault without worrying about memorising them. The main problem, however, is that you can only access your passwords on the computer you have KeePass on, unless you carry an encrypted copy of your passwords on a flash drive. This also means that you're in charge of backups, because if you're hard drive fails then your KeePass passwords go with it.
2. Online password Manager
Services such as 1Password and LastPass provide an online vault for storing your passwords. This vault is accessed by one master password - just like KeePass. The difference in holding your passwords online is that they can be accessed on multiple devices and are backed up by the service provider. Better still, when you visit a site you've saved into your password manager it's usually just a couple of clicks for the password manager to automatically drop in your password and log you in. While you can do this with KeePass too, online password managers are better setup to do this out the box.
What's the catch then? By storing your passwords online with a third party you're handing them over to someone else. This ultimately makes your passwords vulnerable to a hackers if they manage to breach the juicy target that is an online password manager.
3. Pen and paper
It may seem counter intuitive, but writing your passwords down can be a very secure way of managing them. You'll need to take the obvious precautions: don't keep logins and passwords in the same book, don't use a post it stuck on your screen and make photocopies in case you lose your book. However, you are immediately replacing digital risks with phyical ones: the possibility of a hacker stealing your master stash of passwords via your computer with a physical theft, or your hard drive failing with your password book being lost in a fire. It's for you to decide if these physical risks are higher, such as in a shared office, or lower, such as only having access to a shared computer.
So there you have it. It might seem like a pain and too much effort, but it's a lot easier than trying to undo the damage that's been done after someone has logged into your online banking, emails or website. And with these tips you should now know what to focus on and how to keep things manageable.
How we can help
Make your users feel more secure and everyone benefits. Contact us here at Indulge to discuss how we can keep you and your website safe. From adding a security certificate to your website to beefing up your backend security, we can help.
