I have had many friends who have had at least one of their accounts hijacked temporarily. Some friends have had one of their accounts hijacked multiple times (I’m looking at you, Ted). What follows is an outline of what an individual should do (at the minimum) to protect their accounts. To be clear, I’m not a security analyst or have anything to do with security in my professional life. What I am is a tech-savvy prosumer who cares about the security of my friend’s info, and my info (via their accounts).
From my perspective, my friend’s account breach shouldn’t have happened more than once at most. Failure to properly secure a hijacked account and protect it from further intrusion is simply asking for another black eye. Furthermore, every hijacked account that contains details of your acquaintances puts their accounts at risk as well. This necessitates that some friends/acquaintances be removed from social connectedness (on the web – not in real life) in order to protect your own life’s details.As such, here are the bare minimum rules for having a moderately secure account:
- Never use the same password for more than one site/program/login
- Password length should be at or near the maximum allowed for the website/program being used.
- Password complexity should have at least uppercase and lowercase letters, numbers, and a mix of punctuation/symbols (to the extent that web site/program allows them).
- Sharing passwords with others makes that system only as secure as the least secured person you share it with.
But having only four rules doesn’t make a strategy. In the balance between having ultra long and complicated passwords that you yourself can’t remember, and using the same short, monosyllable password for everything, there needs to be a password strategy that maintains security and convenience. But even a strategy is at risk of failure if the enemy (hackers) know your strategy. This is why you must develop your own strategy and keep it private. So there is a fifth rule:
5. Develop a Password-Protection Strategy.
A strategy doesn’t have to be complicated, or hard to understand, or even completely secret (just private). Here are the elements to a password protection strategy:
- Password Generation – defines the process for creating your passwords, their length, and their complexity
- Password Storage – defines if/how you will store all the various passwords you generate including the medium (electronic versus hard-copy), encryption, accessibility (sync’d to the web or printed on paper and stored in your wallet), etc.
- Password Sharing Policy – defines under what conditions will you share a given password, to whom, and under what expectations including action plan for if/when shared access should be revoked
- Action Plan for Security Breaches – defines how you will stay informed of potential security breaches and what action you will take if one does occur.
That all may seem like a large home-work assignment, but informally written it might look something like this:
1. I’ll use a phrase from one of my three favorite songs on my financial websites a tag line or quote from a favorite movie for my social websites; and the name and breed of my first dog for shared passwords plus the first 5 characters from the name of the music artist, the movie title or actor/actress, and pet, respectively. I’ll also substitute certain letters with similar looking symbols. I’ll add the year of the song, movie, or pet’s birth date, and lastly I’ll add the first letter of the company/product I’m logging in to. Example:
!llbebackARNOL91C (“I’ll be back”, Arnold Schwarzenegger, 1991, “C” for “citigroup”)
2. I will only store these in fully encrypted password database on a single computer which is password protected where only I know the file location (and its existence).
3. I’ll only share passwords for websites/products/services where if a breech occurs, the worst that happens is that I am locked out of the service, and it can be made right by a simple phone call during business hours. I will not share passwords that have the potential to do financial harm or risk identity theft.
4. In the event that one of my passwords is leaked, I will change any and all passwords related to the service that was breached, shut down any integrations it has with other services, notify potentially affected parties, identify if I could have done something different to prevent the breech, and closely monitor the problem after I believe that I have fixed the breech.
Of course, this is not my own password strategy and I haven’t written down any formal definition of my strategy. You must make your own strategy that fits your workflow and necessities and to make sure you don’t share your password strategy. Some people use much more secure strategies than my example, and by spending an 30 minutes learning about different methods, you can save yourself hours and days of grief (and potentially your life savings).
30 minutes < inconvenience/embarrassment of a single hijacked account.