A few helpful hints on internet security from your friendly neighborhood whitehat

Guest post by Ragin Redneck
Photo by: kalexanderson – CC BY 2.0
Photo by: kalexandersonCC BY 2.0

As a “retired” hacker, I have some suggestions on the matter of basic security easily implemented by the average internet user.

First and foremost, WORDS ARE HORRIBLE PASSWORDS

This is how you avoid your passwords being cracked by a simple dictionary attack (which can break word based passwords sometimes in seconds):

  1. Think of an entire sentence, or phrase
  2. Reduce it into the first letter of each word
  3. Then add a date that is significant to you, but not actually attached to you, (so not your or your spouses or your parents’ or grandparent’s birthday)
  4. Alternate one letter of that anagram with a symbol such as @ or $

Have all your security questions be BLATANT LIES

Say that your first car is a 1979 Toyota Prius, or that your mother is Cleopatra, that your high school was the Sparta School of Floral Arrangement — something easy for you to remember but that someone Google-checking you won’t come up with. (Seriously, the first thing most people trying to break into an email account do is try and figure out your security questions using records accessible by Google.)

This is kind of a good one, but hard to do nowadays with some sites — do not use your real name for accounts

The people that know your real name will already know it, and the others can be told if you feel it is appropriate or relevant. Change your age or birth year by one year. If the service requires locational data, mark yourself as one county over. Skew the data a bit.

Do not use your actual credit card or debit card online

Paypal is easy even for novice internet users, and almost everyone who accepts Visa or Mastercard or Discover will accept Paypal. It adds an extra level of separation, and an extra level of monetary insurance. Paypal insures all transactions on their network, as does the credit card or bank or credit union you use to tie those payments, so it’s like double insurance. Moreover, Paypal’s encryption and SSL securities actually tend to be somewhat stronger and more robust than Visa or Mastercard or your local bank branch.

Run a virus scan AT LEAST once a month

I recommend Malware Bytes. It’s one of the most comprehensive scans on the market, it’s updated by the Linux community, and it’s 100% free. I run one once a week personally. You can schedule most any scanner to run a scan at a predetermined time. I prefer to have mine set for a time when I’m at work.

Okay, hackers, internet security specialists, and savvy Homies… what are YOUR security tips? Or important things you’ve learned after the fact.

Comments on A few helpful hints on internet security from your friendly neighborhood whitehat

  1. I’ve been using an online virus scanner for years – Trend Micro’s House Call. When I was a teenager I got a virus that disabled any virus software installed on my computer, then corrupted my OS. The only way to find the virus was through an online scanner, not one downloaded an installed on the hard drive.

  2. Watch how many sites are connected to one email account. If you use one email address for everything and someone breaks into that account, use of the “forgot password” button could give them access to your bank account, Twitter, Facebook, Paypal, Apple account… you name it. Sites are moving away from the security question requirement. If an important account allows you to use phone verification, opt in. This usually just means they send you a text message with a security code that is required before it will allow you to access the account through the “forgot password” link.

  3. I’d caution against providing false information like name and DOB for most accounts. Only do it if you don’t have anything valuable attached to the account and don’t care if you lose it without warning. Most terms of service will require that you provide accurate information, and if you forget your password or your password is compromised, regaining control of the account can be difficult or impossible if the account information doesn’t show that you are the person who registered it. In my job, I’m responsible for verifying personal information (up to and including requiring a a government-issued ID) for accounts created online, and the number of people who register as Joe Schmoe with the default birthdate of January 1, 1980 because they “thought it wouldn’t matter” is alarming. Some of these people lose an account with enormous social or business value, or monetary credit, because they can’t prove that the account actually belongs to them.

  4. I’ve done the fake name and year of birth and it’s bitten me in the ass time and again. Especially with Yahoo mail, Gmail, Blogger, Facebook, and some other big sites. Basically, they consider that info to be set in stone and unchangeable (esp your year of birth) and they will never let you change it again. So time passes, Gmail buys Blogger, Yahoo buys Flickr, and suddenly none of your identifying info matches and they shut you down. I’ve had to abandon or lose blogs and email accounts because of this, huge pain in the butt. You never really know how a specific site will evolve and change over the years and how their policies could change. I’ve always tried really hard to be an anonymous user, and the truth is that all these companies only profit if they know your real identity and they can harvest your data, and so they make it very, very hard for users to be anonymous. I haven’t figured out a way around it for these big sites.

    • What’s especially annoying about that is they also refuse to accept that your real name can change, even though it’s not exactly uncommon in Western society (and most of these companies are based in Western countries). When I got married changing the name on my bank account was a matter of going into the bank and filling in one form. But I had to shut down many online accounts and create new ones because there was simply no way to change it. My online account for my mobile phone STILL has the wrong name because I couldn’t change it OR close it down, even though I changed the name on the contract, my billing details and everything else.

      I was glad so many of the sites I used didn’t want my real name and my screen name was nothing to do with my family name. The funny thing now is I’m more identifiable online by my screen name even though it’s far from unique to me. I’ve been Danikat for 15 years, but I’ve only been Katy H. for 5 years.

  5. According to xkcd- http://xkcd.com/936/ -four random words are more secure than a word-based password with letters replaced by symbols. I’d be curious to know how OP’s one-letter-of-each-word-plus-symbols method compares to the data they’ve got there! 🙂

    • I heard the same thing from a security expert on NPR. That the random 4 word password is as strong as any. There seems to be some disagreement in the field.

    • Here’s the explanation for that in less technical terms than used in the comic:

      – Literally the most important thing about passwords, in terms of the likelihood of them being cracked, is length, and whether they’ve been used before. The longer a password is, the longer it will be before a computer guesses it. Period. And there’s a certain length past which, if your password exceeds it, computationally it might take until the heat death of the universe (under current computational power) before a computer guesses it.
      – The first thing a password guessing algorithm will do is guess things it’s seen before. That’s why words are discouraged, as are common phrases, because there are a limited number of things that make sense. Things that are often guessed:
      * password troves that have been pulled from databases on the internet
      * lists of most common passwords
      * “dictionary attacks” – words, phrases, things that make sense to humans
      * 123456789
      – The more sense your password makes, the easier it is to guess! This is *still true* even if it’s several words long, because:
      I-am-an-elephant (16 chars long)
      …will be guessed by the computer, because it makes sense, long before
      Agr!cuL#ural9524 (16 chars long)
      …because it looks like nonsense to the computer, and so it takes more turns of the Rubik’s cube of password guessing to get it right.
      Basically, *for any given length*, an obfuscated password is more secure.
      – BUT, where the random 4 word password advice comes in handy is that you can remember much longer passwords! If you have an obfuscated password, you’ll probably tap out at about 20 characters – and that’s if you have a VERY good memory. With the obfuscated password, each letter takes up a spot in your memory. With the 4-word password, each word does – so it’s complex to a computer, and easy for a human.
      – Worried that your 4 word password isn’t complex enough? Add 2 words, and it becomes much, MUCH harder for the algorithm to guess. It’ll have to go through a lot more 4 word passwords before it even begins to get to the 6 word ones!
      – Worried that your obfuscated password isn’t complex enough? You’ll have to add 10-15 characters before it becomes nearly as difficult as the 6 word password. People are much more likely to end up with 6-8 character passwords, which can be guessed very, very quickly!

      Basically, everyone’s in agreement on what’s difficult to guess. The disagreement comes from “well what if people hear the 4 word advice and they write ‘my password is password'”.

      Hope that helps, and isn’t over-explainy!

      • I’m not a security expert, but I think the four-word-password thing is probably a good method if done correctly; i.e. you always use words at least four or five letters long–but you have to exclude verbs, so it wouldn’t actually make sense as a sentence.

        I doubt any human has ever uttered the phrase “correct horse battery staple” (before that xkcd strip, anyway*), for example, so there would be no reason for the algorithm to look for that pattern before any other (of course, four nouns/adjectives is also a pattern, but I would guess that there’s more potential novelty there than in a grammatically correct sentence).

        *Of course, now, I would totally use “correct horse battery staple” if I wanted to hack, say, the Google accounts of active G+ users, or some other platform that tends to attract techier-than-thou types.

  6. +1 to xkcd’s passphrases – it’s the only way I’ve been able to train non-technical people to use secure passwords they’ll actually remember.

    For folks who are a little more tech-savvy, KeePass password safe will generate random passwords of any character mix or length and keep them secure on your desktop, or will store any passwords you’ve already made. You only have to remember one password, period – the one you create to get into the program.

    I also use KeePass to generate and store those pesky security question answers. What street did I grow up on, you ask? It was a quaint little country road called SFEUI#*(%U#@(QWR(@)$UGHDSHGUKS 🙂

    As for viruses, the best way to treat them is to not get them in the first place. Don’t visit questionable sites, don’t download anything from suspicious emails, and run some basic security apps on your browser. NoScript, AdBlock Plus, and Request Policy on Firefox are the 3 main ones I use, but they can take some getting used to.

    • I use LastPass, which seems like it’s pretty similar, although I don’t know if there’s a way to store security answers. The problem I’ve found with using it is that I can’t check my email and such if I’m using a different computer because I don’t know my passwords anymore.

      • I use LastPass as well and I love it! Perhaps you can store the answers to the security question in the ‘notes’ field with the password. My go-to-answer is something akin to ‘My grandfather is an Apple Store Genius’. He retired, BTW, in 1997.
        Personally I remember my e-mail, Facebook and FanFiction.net passwords and rely on LastPass when I have to login to something else. I just login to my LastPass vault on the browser and open the required site from there.

      • You can still use LastPass on another computer, you just have to go to lastpass.com and copy and paste from your vault. I do it all the time 🙂

  7. Random comment: not as a security expert but as a user, I love using first-letters-in-a-sentence as passwords as I find myself repeating the full sentence in my head each time I type it like a mantra. A previous password was something like Iw2rbaI70! — I want to ride bikes across I-70!, meaning I’d love to bike across the country one day (Interstate 70 goes most of the way across the United States). Even though I haven’t done that yet, it’s a cool way to remind myself frequently of some of my bucket list goals or even memorize passages.

  8. I have an email for sites I post to or mailing lists I sign up for etc that is not my name, my name on that account is not my name and I don’t have any important details attached to it. Then I have my important email, the one that is the real me, for work, insurance, quotes etc.

  9. I would like to add: use the incognito option on public computers and your work computer whenever possible. As soon as you close the window, it erases the history and you won’t remain logged in at personal sites like Tumblr, Facebook and Gmail (especially Gmail has this annoying thing where it retains info on the user like the e-mailadress even after you’ve logged out). The Incognito option is for more than just porn, after all ^_-

  10. Ugh. Passwords are the bane of my life. Even with slightly remember-able ones, I’m always forgetting them & having to reset them on every account & site about once a month (or I get locked out bec. I’ve tried too many times). If I used truly ‘uncrackable’ passwords, I’d never be able to get my own email. Security is a PITA 🙁

    • Maybe try this: use the first three letters of the site that the password is for (so, for Amazon it would be “ama”), add a random letter (maybe “t”), and then a four-digit number PIN that you can remember and know well. The PIN will be the same for every password. Your passwords will be different for every website/email but they will be memorable since you know the first three letters based on the website and you’ll remember your PIN. (Personally I just make the fourth letter the same for all sites so I remember it more easily, but that’s not quite as secure.) You can even write down the first four letters of the password, even in password hints! And no one will be able to crack it still because they will need the PIN. Anyway, it’s definitely helped me remember my passwords.

  11. I like to create passwords that reflect goals. That way they get updated fairly often, are long enough to be secure, easy to obfuscate, AND I get a kick in the pants to work on my goal every time I log onto a website.

    e.g. When I wanted to run a ten kilometre race, my password was 10kby2012evenifyoucry

    Meant a lot to me but is a hot mess to decrypt.

  12. I understand the Paypal advice, but I’ve always been slightly wary of it – basically because one of the first times I heard about Paypal was my brother being scammed by it. Suddenly loads of eBay fees turned up on his Paypal account and his money was gone – eBay said the charges were fake and it was nothing to do with them, Paypal refused to take responsibility or to talk to eBay, and the bank couldn’t do much about it either.

    We figured maybe it was a Paypal employee or something putting through fake charges? Anyway, it’s made me anxious about relying on them with my information, though in theory I know it should be more secure.

    I did realise recently though that my intuition was wrong about saving credit card information on sites. It feels more secure to type in your details every time, but in fact it’s better to save the info so you aren’t always typing it in. It’s possible for someone to be keeping track of your keystrokes, if you’re unlucky.

    • I have a hard time believing paypal is secure too. I have signed up for it 3 separate times, years apart, with a new email and a different card each time. I even used brand new, strong passwords. Each time my account was hacked within weeks and somebody else was able to make purchases with my card/account. Once you dispute something on paypal, you can’t shut down the account during the investigation. That led to my account being used fraudulently twice more during the investigation, while the account was frozen to me. It was a huge PITA and I haven’t used paypal since.

    • PayPal also has ultimate discretion to hold funds. So if you’re being paid through PayPal, such as if you sell something on eBay. So if you then use PayPal to pay your bills, suddenly your money is frozen and you’re getting late fees for all those monthly payments.

  13. I am an IT associate, I use LastPass and I highly recommend it. I use it with Google Authenticator as an additional layer of protection. These tips can keep you safe from a brute force attack, but more than that we have to worry about social engineering scams that will also result in information theft.

    I make videos for small businesses that may not have dedicated IT people. Here is one about social engineering:
    http://youtu.be/wRTIcQx4a_8

  14. I usually use slogans from a particular businesses tshirt, with certain letters being replaced by numbers. So the words aren’t whole words and the numbers aren’t my postcode. I definitely should get a pass type app tho… I have way too many passwords. I wonder which of all the security upgrades for things like credit card purchases has actually reduced fraud?

Comments are closed.