Have I Been Hacked?

In January 2016, SplashData published their annual top 25 most commonly used passwords based on a list of millions of stolen passwords that have been made public over the previous twelve months:

1. 123456
2. password
3. 12345678
4. qwerty
5. 12345
6. 123456789
7. football
8. 1234
9. 1234567
10. baseball
11. welcome
12. 1234567890
13. abc123
14. 111111
15. 1qaz2wsx
16. dragon
17. master
18. monkey
19. letmein
20. login
21. princess
22. qwertyuiop
23. solo
24. passw0rd
25. starwars

The amusement one might feel whilst reading this list may also be accompanied by a profound feeling of disbelief. When did we get so stupid? If your password or a variation of it is on this list, give yourself an uppercut. Then go and change it.

What should your password be?

Anything that is too painful to read let alone remember is your best bet. I know, it seems difficult but it’s the most secure type of password you could have. If it’s hard for you to remember, it will be just as hard for someone else to hack.

• We recommend using no less than a 15 character password using a mixture of numbers, lowercase and uppercase letters as well as punctuation symbols.
• Use a different password for each account that you have. Because passwords are almost always linked to an email address, it’s highly likely that you’ve used it and the same password elsewhere. In the event of a data breach or an email hack, you may inadvertently give a hacker access to all of your online accounts.

I asked a co-worker (with a particularly rain-man-like brain) what his answer would be if he were asked this question. He suggested that every website/account should/could be associated with a memory; a song title, a line from a song or a book, poem or movie, or a particular item – something that could trigger a password memory. Unfortunately, instead of making me feel like I could regain some control over my own passwords and then impart that knowledge confidently to others, it left me standing there with a painfully confused expression on my face that resembled something like a smacked bum crossed with a toothache.

The fact is, my boss co-worker makes a good point – passwords don’t have to be a word. They could be a phrase, a line or a song title and of course the more obscure to everyone else, the better. It could be an abbreviated version of these using a mixture of numbers, letters and symbols. 
User names can also follow the same guidelines – you don’t have to provide your real name. It’s also a good idea to blatantly lie when it comes to filling out those password security questions. Anyone who knows you well enough probably has all the information they need to take you down, should they be so inclined. In saying that, as was demonstrated very clearly in a recent episode of Mr. Robot, gathering this kind of information about someone from something as simple as a Facebook account is way too easy to do and can be done by anyone (is your Facebook account set to private and if so, are all those friends actually trustworthy friends?).

So how are we supposed to remember the 3,487 passwords we need?

If associating smells, colours and sounds doesn’t work for you, not all hope is lost.

Repetition

Repetitive anything will always ingrain something into your mind. Try it, you may be pleasantly surprised at what you can remember. 
Using the suggestions above, you could even develop your own personal format as to the way you create passwords which will then make it easier to remember.

Write them down

Woah, Nelly. 
No, don’t write them down unless you live in a deep cavern on the side of a very tall, hard to climb mountain, in a very remote part of the world where your nearest (and only) neighbour is an antelope you call Fred. 
Writing down a password one time only and then destroying that piece of paper can be an effective way to remember something but if you do this please make sure it’s destroyed. If someone breaks into your office/home and is looking for access to accounts, you’ve made it way too easy. 
I would never advise this regardless of the reason but please, whatever you do, do not write it on a post-it note and stick it to your monitor.

Locked Documents

An alternative to a password manager. 
Making the master password complex is the key to securing this document and it will then serve the same purpose as a password manager, although you will have to manually enter in your password into the website account you wish to log into. For an extra two minutes of your time, it’s not a big deal. These documents are encrypted so that in the event of a hack into your machine or network your data is safe. Make sure this document is backed up externally or remotely because if you lose your data, your drive, or some other disaster should render your machine unusable, you may lose this file forever. 
If you choose this option, I would recommend using an Excel file and ensuring that it is from version 2013 onward as Microsoft have very thoughtfully increased the hash value and added an additional layer of protection the form of a Salt Value. Bravo, Microsoft.

Password Managers

Are great if they aren’t logged in 24/7. 
There’s not much point in having a third party application manage your passwords for you if it is always open/unlocked. You might as well use the built in password manager on Chrome or IE/Edge which is always ready to fill out your details for you. If you remember to log out of your Google account and don’t have that password saved, it’s an option. Logged in permanently makes it no different to having book sitting on open on your desk with all of your passwords written down (or an unsecured document on your desktop titled ‘Passwords’) or as previously mentioned the one we see most often – the post-it note stuck to the monitor on the desk. 
If you do choose to use a password manager, do some research. Free isn’t always the best option but be sure to investigate and be comfortable with the one you choose to use. Make sure that it is not logged in 24/7 and that you have to enter your master password before it fills in your login details to the website you want to login to. Make your master password complex and memorize it – if it’s the only password you have to remember, then remembering it shouldn’t be too hard.

So. Have you been hacked?

If you think any of your accounts may have been hacked, there are ways to check. A tried and true favourite is haveibeenpwned.com where you simply enter in the email address (or two or three) that you most commonly use to sign up to sites with. It will go off and check them against a list of known hacks and data breaches and then inform you whether your information has been stolen and which of your details have been compromised.

Before you do that though, you may just want to go and change those passwords.