I’d like to ask you a question. It’s a little personal, but in this day and age of social networks and online exhibitionism who really cares about privacy and personal space? Anyway, here goes: when was the last time you got your Facebook account broken into by a hacker? Never? Good, you’re either lucky or you know how to defend yourself against online attacks. However, far too often I find myself up against spam and vandalism being sent to me via Facebook, email, etc. from people who are ostensibly my friends and wouldn’t be sending me adverts for “V14gra” if they could help it. Really, considering that defending one’s online accounts from attack isn’t that complex, and how damaging these attacks can be,1 There’s really no excuse for not doing so. In that spirit I’m writing this as a practical guide to defending oneself from online attacks.
Defending one’s online accounts is first and foremost, a matter of password management. You’ve probably seen this before, but the TL;DR version of this story is: use complex passwords and don’t use them for more than one account each. However, there is a lot more to it than that and understanding why these things are important and how to practice them effectively is well worth the effort.
How Criminals Break into Online Accounts
It all begins with the attacker. There are a number of ways to break into a website. From SQL Injection to Cross Site Scripting to plain old social engineering there are many paths an attacker can take to compromise a website and steal private information. Most of these attacks are targeted against entire websites and rely on weaknesses in Facebook’s or Gmail’s own infrastructure to work. There’s very little you can directly do about them but generally, sites owned by large reputable companies like Facebook and Google are largely secured on that front anyway. Generally. Largely. Instead, what most attackers do compromise your online accounts, is guess your password.
Now, I don’t mean that they sit there and type in password after password trying to get just the right one; that would be stupid. I mean that they write a program, called a “bot” that does that for them, at thousands of tries a minute. This is called a “brute force” attack. Now, let’s be clear… in a lot of ways, that’s not much better. The number of possible passwords that a user might choose from is literally infinite2 and it would be impossible for an attacker to go through all of them, even with a bot. However, with just a little bit of knowledge about people and the passwords they pick an attacker can build a “dictionary” and mount what is called a “dictionary attack.”
The thing is, the passwords that people choose are surprisingly predictable. With just a little bit of knowledge, one can easily narrow down the search space and build a “dictionary” likely passwords. For example, some passwords are just very common. For example, the word “password” is the second most commonly used password of all time. It’s second only to “123456.” In fact, according to several leaked password databases,3 these are the 500 most common passwords of all time. Approximately one out of every nine people use one of these passwords so if an attacker wanted to compromise one ninth of all Facebook accounts, all he needs to do is make a dictionary of these 500 passwords. With well written bot, he can check all of these 500 passwords on each account within a second or two.
It doesn’t stop there however. Now every uses one of these obvious passwords, but they still tend to follow predictable patterns in choosing their passwords. For example many people like to use passwords that they’ll remember or that have special value to them, and so they’ll use as a password the names of their children, their wedding date, their astrological sign, or one of a million easily discoverable facts about themselves which a computer can figure out automatically just by Googling your name. People also like to pick make passwords by taking a starting word, and dressing it up a bit by adding numbers at the end or capitalizing it funny or writing it in l33tsp33k, and while these techniques my stop a very simple dictionary attack, most attacks are more sophisticated and know to check common misspellings and alterations to words so the password “G0lf” is just as likely to be broken as the password “golf.” IE, almost certainly.
Now, there is one more trick that attackers will use when breaking into people’s accounts, and that is using passwords from one account to break into another. People very commonly reuse passwords from website to website and so attackers know that they can use user names and passwords that they found on one site to try to break into another. Often times people will sign up for a new site on the Internet only to realize later (or not at all) that the site was a honeypot meant to gather email addresses and passwords so that the site owner could later use them to compromise thousands of email and Facebook accounts.
How to Choose a Good Password
So I’ve just explained how an attacker can guess your password and covered a number of ways people tend to make weak, easily guessable passwords. But I haven’t really gone into yet what makes a good password. So, what makes a good password? Well, aside from avoiding common and easily guessable passwords, the thing to remember is this: You need to make your password as random as possible. Security professionals call this adding “bits of entropy” to the password. What this means is, that the more complex your password is, the more logical jumps a password guessing bot is going to have to go through in order to include it on its dictionary and the less likely a bot is to guess your password. A single word from an english dictionary, such as “morning” is much less random than a random string of characters like “S$f28d)” while a password like “3veN1nG” is somewhere in between.
The best advice for picking passwords today is not to use a password but to use what is called a “passphrase.” A passphrase differs from a password only in that it consists of more than one word, often a full sentence. The reasons for this are twofold first, passphrases are much more random than passwords. With a simple random eight character strings, such as “(f#$jsW1” their are roughly 6 quadrillion passwords an American using a US-American keyboard can choose. However, given a standard dictionary of roughly 171,500 words, there are roughly 150 septillion (100 million times as many) possible 5 word passphrases, without using alternate spellings or tacking numbers onto the end.
The second reason for using a passphrase is just as important. That is, they are much easier to remember than random strings. For example, I’ve already listed two random eight character passwords in this article already but unless you have a photographic memory, you’ve already forgotten both of them. The five word passphrase: “hit babies with lead pipes” I guarantee you’ll have a much easier time remembering. This is important because it removes the temptation to use personal or easily guessable information in your password. So long as your passphrase isn’t about you, you’re much safer. Also, it removes the temptation to reuse passwords which means that you are less likely to be victimized of when someone tries to use your login for one website to break into your Facebook, or email, or online bank account.
Ultimately, that’s really all there is to keeping your online accounts safe. There are other things you can do, such as not sharing your account information with strangers (or even friends) and not using public computers to check your email, but follow my advice for picking passwords and you should be many times safer, so good night and good luck.
- They’re bad enough when you know about them, but identity theft can take years to be discovered and by then you’ll be out thousands of dollars. ↩
- …pretending that the website in question doesn’t place any restrictions on your password length, that is. Most do unfortunately… For “technical reasons”. ↩
- That is, website databases containing user passwords that attackers have successfully compromised and published. There are actually a lot of these so we actually have a pretty good idea of which passwords are common and how common they are. ↩