I’d like to ask you a ques­tion. It’s a lit­tle per­son­al, but in this day and age of social net­works and online exhi­bi­tion­ism who really cares about pri­vacy and per­sonal space? Any­way, here goes: when was the last time you got your Face­book account bro­ken into by a hack­er? Nev­er? Good, you’re either lucky or you know how to defend your­self against online attacks. How­ev­er, far too often I find myself up against spam and van­dal­ism being sent to me via Face­book, email, etc. from peo­ple who are osten­si­bly my friends and would­n’t be send­ing me adverts for “V14­gra” if they could help it. Real­ly, con­sid­er­ing that defend­ing one’s online accounts from attack isn’t that com­plex, and how dam­ag­ing these attacks can be,¹ There’s really no excuse for not doing so. In that spirit I’m writ­ing this as a prac­ti­cal guide to defend­ing one­self from online attacks.

Defend­ing one’s online accounts is first and fore­most, a mat­ter of pass­word man­age­ment. You’ve prob­a­bly seen this before, but the TL;DR ver­sion of this story is: use com­plex pass­words and don’t use them for more than one account each. How­ev­er, there is a lot more to it than that and under­stand­ing why these things are impor­tant and how to prac­tice them effec­tively is well worth the effort.

How Criminals Break into Online Accounts

It all begins with the attack­er. There are a num­ber of ways to break into a web­site. From SQL Injection to Cross Site Scripting to plain old social engineering there are many paths an attacker can take to com­pro­mise a web­site and steal pri­vate infor­ma­tion. Most of these attacks are tar­geted against entire web­sites and rely on weak­nesses in Face­book’s or Gmail’s own infrastruc­ture to work. There’s very lit­tle you can directly do about them but gen­er­al­ly, sites owned by large rep­utable com­pa­nies like Face­book and Google are largely secured on that front any­way. Gen­er­al­ly. Large­ly. Instead, what most attack­ers do com­pro­mise your online accounts, is guess your pass­word.

Now, I don’t mean that they sit there and type in pass­word after pass­word try­ing to get just the right one; that would be stupid. I mean that they write a pro­gram, called a “bot” that does that for them, at thou­sands of tries a minute. This is called a “brute force” attack. Now, let’s be clear… in a lot of ways, that’s not much bet­ter. The num­ber of pos­si­ble pass­words that a user might choose from is lit­er­ally infinite² and it would be impos­si­ble for an attacker to go through all of them, even with a bot. How­ev­er, with just a lit­tle bit of knowl­edge about peo­ple and the pass­words they pick an attacker can build a “dic­tionary” and mount what is called a “dic­tionary attack.”

The thing is, the pass­words that peo­ple choose are sur­pris­ingly pre­dictable. With just a lit­tle bit of knowl­edge, one can eas­ily nar­row down the search space and build a “dic­tionary” likely pass­words. For exam­ple, some pass­words are just very com­mon. For exam­ple, the word “pass­word” is the sec­ond most com­monly used pass­word of all time. It’s sec­ond only to “123456.” In fact, accord­ing to sev­eral leaked pass­word databases,³ these are the 500 most com­mon pass­words of all time. Approx­i­mately one out of every nine peo­ple use one of these pass­words so if an attacker wanted to com­pro­mise one ninth of all Face­book accounts, all he needs to do is make a dic­tio­nary of these 500 pass­words. With well writ­ten bot, he can check all of these 500 pass­words on each account within a sec­ond or two.

It does­n’t stop there how­ev­er. Now every uses one of these obvi­ous pass­words, but they still tend to fol­low pre­dictable pat­terns in choos­ing their pass­words. For exam­ple many peo­ple like to use pass­words that they’ll remem­ber or that have spe­cial value to them, and so they’ll use as a pass­word the names of their chil­dren, their wed­ding date, their astro­log­i­cal sign, or one of a mil­lion eas­ily dis­cov­er­able facts about them­selves which a com­puter can fig­ure out auto­mat­i­cally just by Googling your name. Peo­ple also like to pick make pass­words by tak­ing a start­ing word, and dress­ing it up a bit by adding num­bers at the end or cap­i­tal­iz­ing it funny or writ­ing it in l33tsp33k, and while these tech­niques my stop a very sim­ple dic­tio­nary attack, most attacks are more sophis­ti­cated and know to check com­mon mis­spellings and alterations to words so the pass­word “G0lf” is just as likely to be bro­ken as the pass­word “golf.” IE, almost cer­tain­ly.

Now, there is one more trick that attack­ers will use when break­ing into peo­ple’s accounts, and that is using pass­words from one account to break into anoth­er. Peo­ple very com­monly reuse pass­words from web­site to web­site and so attack­ers know that they can use user names and pass­words that they found on one site to try to break into anoth­er. Often times peo­ple will sign up for a new site on the Inter­net only to real­ize later (or not at all) that the site was a hon­ey­pot meant to gather email addresses and pass­words so that the site owner could later use them to com­pro­mise thou­sands of email and Face­book accounts.

How to Choose a Good Password

So I’ve just explained how an attacker can guess your pass­word and cov­ered a num­ber of ways peo­ple tend to make weak, eas­ily guess­able pass­words. But I haven’t really gone into yet what makes a good pass­word. So, what makes a good pass­word? Well, aside from avoid­ing com­mon and eas­ily guess­able pass­words, the thing to remem­ber is this: You need to make your pass­word as ran­dom as pos­si­ble. Secu­rity pro­fes­sion­als call this adding “bits of entropy” to the pass­word. What this means is, that the more com­plex your pass­word is, the more log­i­cal jumps a pass­word guess­ing bot is going to have to go through in order to include it on its dic­tio­nary and the less likely a bot is to guess your pass­word. A sin­gle word from an eng­lish dic­tio­nary, such as “morn­ing” is much less ran­dom than a ran­dom string of char­ac­ters like “S$f28d)” while a pass­word like “3veN1nG” is some­where in between.

The best advice for pick­ing pass­words today is not to use a pass­word but to use what is called a “passphrase.” A passphrase dif­fers from a pass­word only in that it con­sists of more than one word, often a full sen­tence. The rea­sons for this are twofold first, passphrases are much more ran­dom than pass­words. With a sim­ple ran­dom eight char­ac­ter strings, such as “(f#$jsW1” their are roughly 6 quadrillion pass­words an Amer­i­can using a US-Amer­i­can key­board can choose. How­ev­er, given a stan­dard dic­tio­nary of roughly 171,500 words, there are roughly 150 sep­til­lion (100 mil­lion times as many) pos­si­ble 5 word passphras­es, with­out using alter­nate spellings or tack­ing num­bers onto the end.

The sec­ond rea­son for using a passphrase is just as impor­tant. That is, they are much eas­ier to remem­ber than ran­dom strings. For exam­ple, I’ve already listed two ran­dom eight char­ac­ter pass­words in this arti­cle already but unless you have a pho­to­graphic mem­o­ry, you’ve already for­got­ten both of them. The five word passphrase: “hit babies with lead pipes” I guar­an­tee you’ll have a much eas­ier time remem­ber­ing. This is impor­tant because it removes the temp­ta­tion to use per­sonal or eas­ily guess­able infor­ma­tion in your pass­word. So long as your passphrase isn’t about you, you’re much safer. Also, it removes the temp­ta­tion to reuse pass­words which means that you are less likely to be vic­tim­ized of when some­one tries to use your login for one web­site to break into your Face­book, or email, or online bank account.

Ulti­mate­ly, that’s really all there is to keep­ing your online accounts safe. There are other things you can do, such as not shar­ing your account infor­ma­tion with strangers (or even friends) and not using pub­lic com­put­ers to check your email, but fol­low my advice for pick­ing pass­words and you should be many times safer, so good night and good luck.

1. They’re bad enough when you know about them, but identity theft can take years to be discovered and by then you’ll be out thousands of dollars. ↩
2. …pretending that the website in question doesn’t place any restrictions on your password length, that is. Most do unfortunately… For “technical reasons”. ↩
3. That is, website databases containing user passwords that attackers have successfully compromised and published. There are actually a lot of these so we actually have a pretty good idea of which passwords are common and how common they are. ↩