Overwhelming – yes. But necessary.
Talking about passwords might be akin to talking about insurance. Boring, drudgery, but must be done. Non-working passwords are our number one time waster in the shop. This is what you need to know – short and sweet, almost.
Things to know:
- Write down all your email addresses, passwords, secret questions and answers, account numbers, changes, etc in a notebook or a document on your computer that you print with each change. You will never remember even the most obvious information.
- Store any printed password documents someplace safe, such as a safe that won’t burn or drown.
- Remember, the case style of the characters matters. Upper and lower case letters are completely different and not interchangeable.
- Use different passwords for all online accounts.
- 11 random characters are the most secure, but impossible to remember. If you need to remember the password, it’s okay to scale back the complexity of a password, but try to keep it long and throw in a special character in the middle. For passwords you must remember, say when you are on the road, something that still makes sense is required.
- When answering secret questions, never tell the truth. In fact, the most secure way to answer is gibberish. If done that way, you must remember to write the gibberish down. Answering the “Make of your first car?” with “Ford” instead of “Chevrolet” is the same thing to hackers. Both are common answers. Choosing random characters such as “dsjfd” or something nonsensical like “Buffalo” is the most secure. Because the answers are nonsensical, they must be written down because you will not remember them.
- Always have a way of recovering a password, especially on important accounts like your email or bank. This is typically done using a cell phone number, second email address, or a land line if permitted. Document those secondary recovery options and never lose access to those devices or accounts. If you change your secondary, make sure you change the account that uses that secondary before you lose access to your recovery option.
- Use different passwords for different accounts. When logging in, you will probably have to refer back to your documentation every time. That’s just the way it is. If one account is compromised, the damage is limited to that one account instead of your entire online presence.
- Keep your old passwords documented. Don’t erase them. It can come into play when proving you are the legitimate owner of the account you are trying to access.
- Make sure you mark down the date the account was created. This information can also be used to recover the account.
What to keep track of
- Login accounts in the form of email addresses, nicknames, or names.
- First and last names used on the account.
- Passwords, of course.
- Old passwords. Yes, there is a reason to document old passwords.
- Secret questions and answers.
- Alternate phone numbers.
- Alternate email addresses.
- Date the account was created.
- Key or registration numbers.
- Product and account expiration dates.
- Banking or credit card information.
- Tech support numbers and addresses.
- Any changes made to your account information and when they were made.
- Never delete or erase old information you used in the past. Add to your password book or document, do not take away or erase.
What does a saved entry look like
This might be an example of what is documented. It might be written down or in a password protected file on your computer. Print the document with each change and store in a safe. If you password protect the file, use a version of Word 2013 or later. Earlier versions of Excel or Word are not secure, to one degree or another. Of course, some entries may be just the account name and password and not as detailed as the example below.. Your mileage will vary.
Name: US Bank
Web Address: www.usbank.com
Secondary Email: firstname.lastname@example.org or it could be the same as your login email.
Cell: (345) 456-7894
Security Question: Favorite Food? dkerktdk
Security Question: Favorite Sport? eiwkdsjd
Security Question: Mothers Maiden? ekslghjir
Hacking into an account
Hacking directly into someones account is exceedingly rare. Movies and newscasts will give the impression that someone can break into any account in two minutes. Completely false unless you were tricked into giving them your login information. And even them, depending on the service that has been compromised, they may still not get in
Hacking can occur in any number of ways:
- If an account is accessed directly without authorization, it’s mostly likely because the account owner freely gave the bad guys the password. A fake email may have been received pretending to be a trusted source asking for login information. Never enter your password if told to based on a random email or website. Always go to the actual website and enter it there and only there.
- You get a phone call out of the blue saying “X” detected a problem with your computer and needs to log in, and you let them. It’s a scammer.
- You get a sudden message on your screen saying all hell has broken loose in your computer and you must call a certain number immediately or you will die. No. It’s just a fake website made to look scary. Normally a computer reboot will clear it up. When asked if you want to restore your previous web pages, you do not.
- You search for a tech support number for your printer, or whatever, on Google and call the first number that shows up. It’s a fake number and they will pretend to be whomever you want them to be. You are talking to scammers, not the company you intended to talk to.
- Someone breaking into your email providers database. This means they tricked someone at your Internet provider or a vendor you use into giving them access to their database of accounts. Made worse if the database did not encrypt your passwords. Not your fault but the damage can be minimized if you used different passwords for all your accounts.
- In rare instances, there will be a known or unknown security flaw in the programming used by your vendor. The bad guys use it to gain access to the password database. Not much you can do about that but rest assured it’s rare. The damage can be minimized if you used different passwords for all your accounts.
- Bad guys can gather publicly available information to try and reset you password. Some websites will use secret questions to prove you are the rightful owner of your account. If you answer truthfully, such as mothers maiden name, favorite sports team, etc, anyone can answer those questions and get into your account. Example: “Who is your favorite sports team?”. If you’re from Wisconsin, it’s the “Packers”. Everyone knows this. Even the bad guys. Solution: answer secret questions with lies or gibberish. Make sure you write down all answers clearly with proper case. You will not remember the most basic of answers. What is your wife’s maiden name? We had a guy who could not answer that question the same way he entered it the first time.
- When you access an account, often times they will offer a checkbox where the computer will remember the password so you don’t have to enter it each time. Very convenient but a giant security hole. It’s one of the things we use to try and get into an account with forgotten passwords. If your computer is stolen, such as a laptop, that’s the first place a hacker would look.
- Someone could gain access to your accounts the old school way – break into your house and steal your password list or grab your computer and look for documents with account information neatly listed. To avoid this create password protected documents so even if they gain access to the physical computer, they still can’t open the password document. In order to make the document secure, create it in Microsoft Word or Excel using version 2013 or newer.
- If you create a computer file with your password list, print and hide it.
Tips for creating a password
- Write it down! Write it down! Write it down! You will not remember! You will not remember! You will not remember!
- Use a nice, dedicated notebook or password protected computer document to keep track of your login information. We have had people use old fashioned index cards effectively. The downside is that it can be easily stolen or lost in a fire or flood.
- Passwords typically have to be 8 characters with a minimum of upper and lower case letters and a number. Some, like Norton, require a special character such as “$” or “@” thrown in.
- Before creating or changing the password, write it down neatly and in the proper case ( upper or lower ) BEFORE you enter it. This is because what you type when creating an account and what you think you typed are in no way related. You will write down the wrong password. Write it down first, then type it based on what you wrote down. This avoids us having to break out the Ouija board trying to determine the password for your newly created account.
- Always create or enable a secondary way of logging into an account, if the company you are using offers it. This means that you should give them your cell number, home phone, a second email address, or a trusted individual might use. Anything to prove you are the rightful owner when you can’t log in. You must have a valid way to reset that password when it’s lost or forgotten.
- Things such as “password managers” exist to make it so you don’t have to remember anything. They can come in handy and also fail miserably. Write down all passwords no matter what.
- Always fully document answers to secret questions, recovery emails and phone numbers, account numbers, etc. Everything associated with the account you are creating. Leave nothing out.
- When writing it down, do not use cursive. Print the password slowly with large font. We like to use all uppercase characters and underline what should actually be uppercase. Countless times people will write down passwords in proper English when, in fact, the first character is NOT capitalized. It matters greatly. “Close” is the same as completely wrong.
- Use Two Factor authentication. Even if the bad guys get a hold of your password, with Two Factor authentication turned on they are still not getting in. See below for 2FA details. Only well organized and disciplined users should enable Two Factor Authentication.
Two Factor Authentication
Two factor authentication means that along with the password you must enter when logging in, you are also required to answer a second inquiry just in case someone got a hold of your password. Most commonly this second inquiry is a text message sent to your phone, an app that asks you for confirmation, or a second email address, presumably proving you are the legitimate owner of the account you are trying to log into. The idea being that only the legitimate owner of the account would have access to their phone, app, or a second email address.
Both Outlook.com and Gmail have this feature available, but it’s off by default. When 2FA is activated, you set up a phone number or second email account as the destination for the confirmation message. We use this on all of our accounts but most people do not. It’s an excellent security measure but frankly, only well organized and disciplined users should enable Two Factor Authentication. If you lose access to that second confirmation device or account and did not document one-time passwords, you may be locked out for life.