Recently I read a WordPress blog about hacked email woes. I think I should share my experiences with it and some techniques to prevent it. After the first time when you feel your privacy is violated, you usually would want to find the solutions that would solve it. Usually, we take the easy routes to get it done. Easy routes are cheap and less time consuming, however they’re probably quick solutions to probably a few small small problems in your security.
Lets start with account security, this is pretty much anything requiring a user name and password. Though not sure if everyone does this, but it seems those that assume the same username to all their accounts fairly much allows a bit of consistency with password insecurities. Especially if it’s those people who have your user name across multiple service, they can just easily search up the username and if they crack the one password for that; they’ll get them all. If you are those kind of people who keep usernames the same and keep shuffling the password, that’s a good plan. However do note it is recommended to keep a different password for each account; from my point of view in out interconnected world, this might be hard. Consider we all own probably 2 or more email address as well as miscellaneous services like online banking, online games, and various accounts requiring an account and password; this approach would require a minimum 20 password you have to remember by heart. Eidetic memory would be the only ability you would need for this, however most of us don’t really remember those passwords that well and usually try to brute force their way onto their account by cycling through passwords or just resetting the password which would defeat the purpose of having the password in the first place. To reduce the amount of passwords to use or even cycle through, I suggest prioritizing your accounts into categories.
First you are going to need to think about all the possible passwords you can create. Don’t pen them or type them out; use your mind and figure out which ones are going to work out. To find out which one’s are going to work out, you have to know what kind of restrictions you have on your password from the service you are going to use. Sometimes the service would want you to have numbers and letters while some would go the distance and ask for numbers and letters with one letter capitalized. Most of the time, numbers and letters will do fine and dandy. Now in your head, find things you know that people won’t know. These could be important dates, lucky numbers, names of pets, and certain random facts you know of yourself that others don’t know or would not be able to guess. From this stack of keywords and numbers, we have the most secure passwords; lets call these Alpha Phrases for now.
Now think of things people might know in person only; sports teams, political and religious affiliations, inside jokes, names of those people and so on. The bulk here will be our Beta Phrases.
Optionally, think of common words and numbers you could use in a pinch. These could reference to games, movies, books, dirty jokes, et cetera. This will be our Pool. These should be easily recalled at anytime but would make the least secure passwords like “asdf”, “root”, “admin”, “1234”, and “password”. These phrases suck when combining with themselves but would make a minimal password when combined with a Alpha or Beta Phrase.
Priority Tier System
This is how I normally put my things together online to keep it from getting compromised. This system varies depending on people’s influence and usage.
A priority based system would require is pre-planning in terms of how you will classify your accounts. Basis of this blog, I’ll demonstrate with a 3 tier linear system. Linear because each priority does not interact with the one succeeding or preceding itself. However if you are part of a business or a person who has grey zones, read the non-linear area of this section.
The highest priority should be assigned to accounts that will contain real life consequences in the event that your account is breached. Under this priority I would recommend using a combination of two or more Alpha Phrases to ensure security. This should make it impossible for someone to break into the account and would protect your assets like a bank account or a business email. Each account here should have it’s own unique password.
One down is moderate, passwords should be quick accessible but hard to guess. So the bulk of these passwords would be Beta Phrases, you can sneak in a bit of the Pool in there if you want it. In my opinion, this contains personal and social media. This is the area where you wouldn’t mind an accidental breach or doesn’t have a physical loss, don’t cry over spilt milk and all that. You can be a bit more lenient in using a password twice, try and not overdo it since people might find out.
Low priority are the accounts that will get lost so the passwords won’t make a difference since it’s kind of just something you made to check out the service. This is things like IRC and forum accounts unless you are a forum moderator or an administrative figure. Which case, these are things may be consider moderate or high depending on popularity of the service you are working with. As a normal user, likely you will only need to mix a couple Pool phrases together. The accounts listed here are the low of the low so you can literally have one password for all the accounts.
Now in life, nothing fits into boxes the right way so for those that aren’t too sure what is what I’ll help you how with exceptions and rules to help you through in sorting accounts and assigning passwords. If your account links to other accounts, that linking account must be secured higher than the other accounts. So lets say you have an personal email to forward email, that forwarding email address’ password MUST NOT be used again since it’s directing information to other emails. Same goes for gaming accounts where you’ve collected ultra-rare gear in and social media if you are a social butterfly. So they’re like semi-high priority but not really when you don’t want to use it anymore.
The only thing you would have to worry about in this system is any passwords that are shared since if one gets compromised, then it’s likely the other would get hit pretty hard. Also if you don’t have a diverse pass phrase pool since someone could can just guess it. Any case, change you password after you think one of them is compromised and try and avoid using the same password.
Another approach is to construct a cipher, a method to conceal your written work. Depending on what you use as a cipher it can be super easy or super hard. You can use a grid of 260 squares arranged in a 26 x 10 grid and fill each grid with a random character from A to Z and 0 to 9. Based on a phrase or a number, this grid should hash out a sequence that should consist of numbers and letters. You can use it like a map. First you establish a set of rules. easiest one off the top of my head is a mnemonic like “I love those adorable puppies.” So “I” has one letter, so look in the square in I1. “Love”, four starting with “L”; L4. And so one until you have a sequence from the phrase. Usually online services require a minimum of 8 characters so your phrase should be at minimum 8 words long.
Simpler cipher is to get yourself a letter, like a rejection letter from a college or university. Pick a number, then just go through the letter puling out a word or number that happens to fall upon every n times, where n is your count number. You can substitute it with letters so you can take single characters in words. It might take longer than pulling words but as long as you remember the count and keep the correspondence, you can always refer back to it. It’s antiquated but as long as it’s difficult, password’s safe.
Take it to the cleaners
Not too sure what it’s called but it just wipes temporary data off your computer. I personally use CCleaner by Piriform, it deletes all the temporary history from all my browsers and for a bit of flavour I have it clean out my Start menu and certain programs that need to be deleted. Even without programs, you can delete it too but it would be quite hard to know what’s junk. The point to it is to get rid of anything weird that’s inside a file that’s either sending or receiving information that you don’t want sent, such as what you’re typing in as a password. This is only a temporary measure but it’s a start of a two prong attack to rid your computer. Having some anti-virus protection helps a lot if it program has an active scan feature to let it check incoming data for malicious material like a worm or something. When I get nervous, I usually use CCleaner then run a full scan followed by another run with CCleaner to make sure it’s all cleaned up. Probably the first one isn’t necessary but it never hurts to try.
Nuke it like North Korea (too soon?)
If you have exhausted all methods into removing malware off your computer, there is a last resort but sometimes comes at a heavy price. Reformatting a hard drive would be a hard thing to do considering the size and collection of stuff you’ve accumulated. Best you can do is save as much as you can before you wipe the hard drive clean and start over. Usually all operating systems now have some feature to allow you to wipe the hard drive. I have two methods of wiping my computer if I had to, CCleaner has a feature to allow a full hard drive wipe and I have my two operating system boot discs. Be careful when you do this and change your BIOS to allow boot up from a CD or USB, whichever medium you keep your boot disc on. This should be a the last course of action, but it’s necessary if you want a virus free computer.
At Day’s End…
After all this stuff, online systems are vulnerable to attack. Certain companies are good at keeping up with security holes, some not so good. I know for a fact my Hotmail account was compromised server side since before they fixed it, my Junk folder would always contain 100 messages every day about random products and services I don’t want to know about. Sometimes no matter how hard you make those accounts hard to break into, sometimes it’s just something out of your control and you have to accept the fact that the service you trust can be so incompetent. In which case, it’s time to find a new service to replace it.
Stay safe and stay secured, everyone. See you next time!