How to protect your online identities and your sanity

A few weeks ago I received a call from a client who had concerns one of their online identities had been “hacked”. They had entered their email address into an online search tool which keeps track of systems that have been compromised - and their email address, together with that of several work colleagues, also showed as having been compromised.

Their concern was understandable and I was glad they’d checked with me.

Considering there had not been any unusual activity with these online identities I suggested they were probably not fully exposed but they should be changing their various passwords as a matter of good security practice. This raised the ever-too-often groan when I suggest having different passwords for every identity, as it’s perceived as too difficult to think of unique and complex passwords let alone keep track of them.

But it doesn’t need to be difficult, painful or require you to undertake mental gymnastics – it can be quite simple to have many unique identities and stay secure.

But let’s start by stepping back a moment and evaluating the situation – when someone is asked to create a new online identity (which means they need to sign up to an online service requiring an email address and password) more often than not the same password is used as they have for other online platforms, since it’s easier for them to remember one password for many sites than different passwords for any number of sites.

In addition, when confronted with the daunting task of thinking up a new complex password, human nature is typically to

1. Panic
2. Stop breathing
3. Break into a sweat
4. Try to think of a new complex password
5. Look around the room for inspiration
6. Get a headache
7. Defer to using the last password they used as it’s easier
8. Enter this password for their new online identity and make a mental note to change it later on
9. Never change this password as it’s all too hard
10. Return to pre-panic state until the next password creation request comes up

Can you identify with this process?

The bad old days of using letter/number substitutions should be well and truly behind us – this is where you replace a letter with a number that looks similar so it’s easy to remember. Common examples being:

• A = 6
• B = 8
• E = 3
• G = 9
• O = 0
• 1 = !
• S = 5

So your passwords may look something like:

• Password = P6ssw0rd
• Honey_and_Jam = H0n3y_6nd_J6m
• LetMeIn = L3tMe1n

If you’re using a password like this YOU NEED TO CHANGE IT NOW!!! (sorry for shouting but this is important). It’s only a matter of time before you are compromised and then you no longer own that online identity.

The other obvious passwords are names of pets, people close to you, anniversary/birthday dates, your favourite sports team, your car model or licence plate number and anything else that’s personal to you. It won’t take a reasonably intelligent hacker too long before they will guess your password – and referring to the human nature process above once they have one identity they’re sure to have others.

One tip I offer to people when it comes to creating new complex passwords is to forget about the word “password” and think “pass-phrase” – here’s some quick examples to illustrate (“Complex” means they include 3 of the following 4 attributes – lowercase, uppercase, number, punctuation/special character):

Whilst the complex passwords above are certainly complex, they are difficult to remember and difficult to type quickly & accurately. The pass-phrases are also complex but are simple to remember, quite easy to type and will keep even the most ardent shoulder surfer confused (more on this shortly). Your typing speed does certainly matter but you can improve that with practice (just search for “online typing tutor” and get onto it!).

The simple reasons pass-phrases are better than complex passwords are:

• They are naturally complex, so near impossible to crack using dictionary/brute force attacks.
• They are simple to remember but certainly not easy to guess
• They will confuse anyone who happens to be shoulder surfing – which is when someone is watching you enter your password as you type it in (which is not really socially acceptable these days). I have personally made a habit of looking away whenever someone enters a code or password anywhere, even if I happen to know what it is already

But not all systems will accept a pass-phrase – some systems have limitations on the length of your code, don’t like you using spaces, or will only accept certain punctuation marks. It can all get a bit confusing and complex to manage!

All hail the great password manager!

Enter the password manager app which can make things so much simpler for you, whilst retaining complexity (see what I did there?).

A password manager is a program you typically install on your smart phone and/or computer, and can be used to securely store your credentials as well as generate new and unique complex passwords for these sites. They mark the end of having the same (easy/boring/crackable) password for each of your online identities and, provided you use it properly, will keep your identity much safer.

There’s a number of different applications available, and I’m not going to try to list them all, but here’s a few to check out:

• Dashlane - www.dashlane.com
• Roboform - www.roboform.com
• Lastpass - www.lastpass.com
• Enpass -www.enpass.io
• Keypass - www.keypass.com

Just perform a search for “password manager” and you’ll be presented with all sorts of options.

I personally use Enpass on my phone and computer, storing the data file in a cloud storage folder which is available across multiple devices and therefore allows synchronisation across these devices. The data file is also encrypted so if it happened to fall into the wrong hands the data is still secure.

When I start Enpass on my computer I am presented with a screen asking for the master password. It’s a simple and uncluttered interface without any “fluff” getting in the way:

Once in the app I can easily add a new entry by clicking the + button to show the following:

You give the entry a name, put in your username, email address and the URL for the site. The indicated icon allows me to easily generate a new complex password for this entry, and you can make the new password pronounceable or (literally) gibberish – as follows:

The length of the password can be adjusted using the Length slider – there’s more options but I’m sure you get the idea.

Once you’ve created your secure credentials for a particular site you’re all set with a unique password that is never likely to be guessed by any hacking system. And since your credentials for this site are unique to just that site, having a particular platform compromised means you only need to change that one password rather than scramble across multiple online identities.

When I need to log into a site I simply open the app, copy the password (which is hidden from visible view) to the clipboard and paste it into the login box – it’s quick, easy and secure. It works the same on my phone, which uses my fingerprint to authenticate me into the app, and then provides all the same functionality as the PC version in terms of creating new entries, changing passwords and copy/paste of the password. The peace of mind this gives me is certainly worth the few extra steps I need to take – not completely sure I’ve retained my sanity but that’s a whole other story!

Here’s a quick review of the phone experience:

I can also store other sensitive information in my app, which means I don’t need to commit all of this information to memory. Naturally I don’t share the location of the data file nor the master password with anyone.

Some of the other password manager apps include a plug-in for your web browser so they can automatically insert the password for you – I tend to avoid these capabilities as I prefer to have a bit more control over how the password is entered and where it’s stored, but that’s just me.

Whilst I could continue on for several more pages I’m hoping you get the message that it is possible to have a more secure online presence without having to resort to using the same password for multiple sites or leaving your list of passwords stuck to the bottom of your keyboard. At the very least you should start to use a pass-phrase for your network/PC login, and educate others around you to do the same. But even better is to use a password manager app to protect your online identities.

Need help? Just ask – that’s what I’m here for.

Do you currently use a password manager? If so – what’s your favourite and why?