Over the past couple months I’ve heard of a few incidents where people have had a digital account hacked. These experiences are not just annoying for the individual, but can be extremely distressing and time consuming to recover from. They can result in a loss of finances, hijacking of an account, blackmailing or data being leaked to the blackmarket. Unfortunately none of us are immune to such threats. But there are things we can do to reduce our risk.
It is for this reason that I have decided to depart from my usual topic of conversation for Running Rare, and to instead dedicate some time to providing strategies that individuals can implement to increase their protection online.
The perspective I have of cyber security is shaped by my experience of being involved in web development for close to a decade. During this time the digital landscape has rapidly changed, and the volume and sophistication of attacks on individuals and businesses has exponentially grown. The purpose of my writing is not to illicit unmerited concern, but rather to do my best to increase awareness and understanding so you can make informed decisions regarding your own risk profile. Over the next three or so newsletters I am going to focus on three actionable strategies everyone can implement to improve their own online security. We’ll start our journey off with password security.
Understanding the Digital World
Understanding the digital world can be abstract and foreign. So over the past few days I’ve been thinking of a physical model we can use to understand password security a little better. We’re going to put ourselves in the shoes of a burglar and see what type of things make for an easy hit.
How to be a successful burglar
I want you to imagine yourself in an open space surrounded by nothing but gravel and dirt. It is completely desolate. You’re a busy burglar and such a place is of little interest to you.
Just as you’re about to leave your ears prick up. You hear some construction noises. Someone in the distance is levelling the dirt and beginning to prepare the area for creating a paved road. You sit and watch for a bit. After some time you notice the person banging a post into the ground. You squint your eyes and make out that its a street sign - ‘Poor Security Alley’. You’re surveying the area to create a map of potential hits and this will be useful information. So you pull out your notebook and write the name of the street and its location down for later.
A few months pass and you return to the street. Things have really changed. The dirt has been transformed into an oasis. The owner is really investing in this street and now there are all kinds of buildings! As you look around you notice a portrait gallery, jazz bar, a gym, a movie theatre and even a few banks. Everything you could ever want is on this street. You write down the names of the buildings in your notebook, and begin to sketch-out the view of the developing landscape.
You walk up the steps of one of the buildings and stretch out your hand and attempt to turn the doorknob… but the door is locked. Not to worry, the lock looks cheap and simple. You pull out your pick, and to your delight, after a few attempts you hear a click, and the door opens.
You enter the building and look around. It is fully furnished. In the draws are journals of the owner. Names, addresses and important dates. You take a few pictures and artefacts that will help you to create an idea of who lives here. Once you have everything you want, you silently exit the building without a trace.
With a smirk on your face you head back out onto the street. A few blocks down is a popular building that you’ve seen on many streets before. You wonder whether your pick will work on their doors too. So you head up the stairs. But the lock on this door is more intricate and expensive. After a few failed attempts you decide to return to the street to avoid arousing suspicion with the building manager.
That’s when you remember that you know someone who’d managed to climb through an open window on a different building on this same street. You wonder whether they might have any information that may prove useful. So you reach out to them, and for a fee, they provide you with the key they’d obtained. You return to the building and try your newly acquired key. Even though it is a key obtained from a different building on this street, to your delight, you hear a click sound… you’re in. In this building you don’t find journals, but rooms and rooms filled with photographs. You start taking copies of the photographs before heading back outside without leaving a trace.
Now you’re really gaining an idea of who lives on this street.
With the success you’ve already had, you decide to make your way down the street testing the key you’ve obtained. Building after building, door after door you hear ‘click’ ‘click’ ‘click’. Silently thanking the owner for using the same lock on each of their buildings. You gather more and more items and by day’s end you’ve amassed more items than you know what to do with! All without leaving a trace.
Lets break this story down. In our analogy our email address is represented by the street. For many of us we have had the same email address for years, and we’ve used this to register with hundreds or thousands of websites and apps. In our story these websites and apps are represented by our buildings, which all share the same street (our email address).
This made it easier for our burglar because once he knew the street address, now he just needed to start testing keys - our passwords. The owner of this street made it particularly easy for the burglar for two reasons. Firstly, the first lock he used was cheap and simple. This is reflective of passwords that are easy to remember or easy to guess. Secondly, the owner used the same lock across multiple buildings. Even though this lock was more secure, once the burglar obtained the key all of the other buildings that used the same lock became freely accessible. Unfortunately, this can occur in a data breach making all of the websites that use that password vulnerable.
The frightening thing about the digital sphere is that unlike a physical burglary, you may never know if your data or your account has been compromised. However, a good place to start is to check if your email has been exposed in a data breach using the Have I been pwned service. Link: haveibeenpwned.com
Password Security
For convenience we may have used the same password, or a password pattern, across multiple services to make it easier to sign in. But as highlighted in our first story of this series, this made it really easy for us to break into someone’s building if we knew their street name and had a copy, or even just an idea of the shape, of their key. One of the biggest improvements we can make in our digital protection is making complex high quality passwords for each of the websites we use.
What are the attributes of a high quality password?
Your password does not appear in the dictionary and it is not a derivate of a word with a few characters substituted
It does not contain any personal identifiable information such as names or personally significant dates
It is a minimum of 20 or more characters where possible
It uses a random string of mixed case letters, numbers and symbols
You have not used it before
I appreciate that this is easier said than done. Who has the time, mental capacity and energy to manage this?
Digital security will never have a perfect solution. It is an evolving landscape. So the goal is to minimise your risk. It is for this exact reason that I strongly recommend investing in a password manager like 1Password. It makes maintaining strong unique passwords more manageable significantly reducing your vulnerability.
At this point, you might be like ‘Hold on a sec, Tim. Why would I put all of my keys in one safe. Isn’t that just as bad? Couldn’t a hacker just target 1Password’. Yes, they could. But 1Password’s encryption infrastructure means the data on their server is useless. Vaults names, field names, usernames, passwords, website data, text fields and more are all encrypted. So hackers have no idea what they’re trying to decrypt, and whether it is of any value. The only way to decrypt this data is by obtaining both your password (which you should only know) and a 128 bit computer generated private key (that only you have). Trying to crack the combined encryption scheme provided by this dual-key approach – even using every computer on Earth today – would take, conservatively, several times the known age of the universe. That is a pretty time consuming and expensive exercise for a stab in the dark. For more information, I would recommend you start by reading the article below: https://blog.1password.com/how-1password-protects-your-data.
Furthermore, I would rather my passwords be managed by a dedicated security organisation than rely on the security protocols and infrastructure of the websites I’m registered with. This is not just my perspective, but I’ve also received the same recommendation of using 1Password from professional advisors who have experience managing the protection of some of Australia’s largest fin-tech organisations and international banks.
When it comes to digital security it can be overwhelming to know where to start. But a good place to start is with a password manager like 1Password. In coming newsletters we’re going to explore both two factor authentication and email security through masking and aliases. If this series proves useful to you please let me know in the comments below, and I’ll be happy to research and share further digital security strategies that we can all implement.
Please consider passing this article onto your networks.
I am so thankful to be a part of the Writing 4 Resilience team. We’re a community of writers, runners and humans who are striving to build resilience in our local community with the goal of making Canberra suicide free by 2033.
I've been using 1Password for years and can't recommend it enough! The built-in password manager for Mac/iOS is also getting better but not great cross platform support, yet.