Basics lesson 2, articles to read and try out

Why you need a separate, secure password for each online account?

Whether online banking, WLAN, laptop, e-mail, shopping or social media accounts – all our access to the digital world is secured with passwords. Our online security also depends on the security of these passwords.

Insecure passwords and using the same password in multiple accounts is still a big problem.

And even if our passwords are carefully chosen and secure, it often happens that companies do not adequately protect our access data (login name, password, etc.) from attacks.

So first a few simple rules:

(1) Each access (account) you have will have its own secure password. This is very, very important. For example, if Facebook is attacked and a hacker steals your access, he cannot use it to break into another account of yours. You have to know, most “hacks” only become known when they no longer have any commercial use for the hacker.

(2) Secure passwords are:

  • passwords with letters, numbers and special characters,
  • randomly generated,
  • longer than 10 characters,
  • not to guess.

Since such passwords are very difficult to remember and there is a risk of being locked out when they are used, a trustworthy password manager is used, which is available on mobile phones, PCs and, above all, in the browser as a so-called extension. So you no longer have to type the passwords you need for web applications.

(3) Use a separate access name (often an e-mail address) for important access that you do not use anywhere else. Important access points are, for example, your e-mail, your Apple ID or your Google account.

(4) Never sign up using Google, Facebook or Apple ID – always use your own login name/email address when signing up for a new service.

Why? It doesn’t concern the big three, where you are still registered and if, for example, your Facebook account was hacked, other accesses are not affected. And if Facebook has a glitch again, you can still register.

Passphrases are the new passwords?

Since long, random passwords are very unwieldy even with a password manager, security programs allow the creation of so-called passphrases (bundles of words and characters).

Passphrases should contain at least 4, preferably 5, randomly combined words with a total of 25 to 64 characters. Your master password for the password manager and the hard disk encryption of the computer should consist of 6 phrases.

You can create these passphrases with a trusted password manager, or you can dice the passphrases yourself using Diceware™.

Diceware™ is a passphrase-picking method that uses ordinary dice to randomly select words from a special list—the Diceware Word List. Each word in the list is preceded by a five-digit number. All digits are between one and six, so they use the results of 5x dice to choose a word from the list.

Should I store everything in a password manager?

Very important passwords and passphrases for:

  • password manager,
  • computer disk encryption,
  • Logins for computer and mobile,

I create them manually (e.g. with Diceware™) as long passphrases. I try to memorize these passphrases and only keep them on paper in a safe place.

Have I been hacked? What does that actually mean?

As a rule, nobody attacks you personally at first. Most “hacks” or attacks are carried out on companies, mostly well-known providers where many users have access (accounts). Attackers then often gain access to all accounts with information such as:

  • Name, date of birth, place of residence
  • E-mail address, cell phone number
  • Whereabouts
  • deposited credit card

This information you have stored with the provider can then be used to harm you personally. For example, by debiting small amounts from your credit card, by sending toxic e-mails or text messages and, for example, gaining control of your smartphone or computer.

Typically, this hacked data is first sold quietly “among hackers”. They will not be published until they a) are commercially useless or b) ethically acting persons publish these “hacks”. This forces the affected companies to:

  • to inform their users so that they can change their access
  • (hopefully) improve your cyber security

Activist Troy Hunt, a senior Microsoft employee, privately runs a “collection” of the leaked “hacks” and offers a free service on his page HaveIBeenPwnd that allows anyone to verify their email address , cell phone number or Password appeared in a “hack”.

If you find out from a service provider (or via HaveIbeenPwnd) that your identity has been stolen, you must act and change the login and password combination immediately.

Pro Tip – Multi-Factor Authentication (MFA)

In recent years, many service providers have been pushing for additional authentication features in addition to simple authentication with a user/password combination. This increases protection against identity theft since you receive a one-time password on a second channel (e.g. mobile phone, e-mail). For a successful login, this one-time password must also be entered.

A very valuable thing in itself, but in reality it often has a catch. Many providers often focus on SMS as a second channel and want to use your cell phone number. You shouldn’t give them out! There should always be the option, for example, to name a second e-mail address or to use a so-called token generator. This can be a small keychain that generates one-time passwords or an app or website with the same function.

Finally, some “hacks” in 2021:

Sources, tips and links for further reading

Electronic Frontier Foundation (EFF), Creating Strong Passwords , 05-05-2020

ProtonMail, Let’s settle the password vs. passphrase debate once and for all , 05/05/2021

Arnold G. Reinhold , The Diceware Passphrase HomePage , 05/05/2020

Troy Hunt, I am running Have I Been Pwned , 05/05/2021

Security Insider, Token for Multi Factor Authentication (MFA) , 05/05/2021