Since the dawn of civilization, likely before the advent of recorded history, people began using systems of knotted ropes to secure their possessions. Six thousand years ago the first locks and keys were invented by the Ancient Egyptians, made entirely out of wood. Three thousand years ago the Greeks began using metal to secure their locks with large cumbersome keys. Two thousand years ago the Romans developed the technology further, finally making keys small enough to fit in pockets and purses. Three hundred years ago the industrial revolution allowed the creation of what we now consider to be modern lock and key designs.
While physical security practices have been developed over the entirety of human history, digital security is a brand new challenge (and one that multi-million dollar companies continue to fail at implementing). Every day it seems that there is a new security threat, hack, or breach. It’s too much to take in all at once. However, progress is being made and the more people that know about and understand digital security practices the more secure we all become. We all protect our physical property with locks, safes, and keys, so why should our digital property be any different? After all, a password can effectively be thought of as a digital key. These are a few steps that you can take today to help keep your digital life as secure as possible by making sure your passwords remain secret and safe.
1. Never Reuse Passwords
Most of us carry around keychains with multiple keys. Different keys for the house, car, office, shed, safe, bike, etc. There is a good reason all these things use different keys, and it’s easy to imagine the damage that could be caused if we used the same key for everything, then lost it. The same exact principle holds true for passwords.
If a thief is able to get their hands on one of your passwords, the first thing they will do is try to log into a bunch of different services using that password. Somebody getting access to your Netflix account isn’t the end of the world, but if you use that same password to protect your email or bank accounts then there will be problems. However, as long as you use different passwords these breaches can be contained.
The best possible way to make sure all your passwords are unique is to use a password manager, the digital equivalent of a secure keychain. Most password managers include the ability to automatically generate random, secure, passwords for you – and some can even update your passwords on your behalf. I personally recommend something like LastPass or 1Password. These are fully managed services that allow you to securely access, create, and modify your passwords from anywhere (LastPass, for instance, can’t see your passwords even if they wanted to). If you need even more security and have the technical know-how, self-hosted open source password managers like KeePass are also available. They can take some getting used to, but the security these services provide is well worth it.
2. Use Passphrases
Even if you use a password manager to keep track of most of your passwords, you will still need a password to actually use the password manager. Having to type in a long, randomly generated password every time you log into your computer can also be a pain. In the cases where you actually need to remember your password, you should use a “passphrase.”
As is the case will all things technology, XKCD has already talked about this. In short, the difficulty of guessing or decoding a password gets exponentially more difficult the longer the password is. Every additional character used more than doubles the security of the password. The best way to make sure your password is as secure as possible is to make it as long as possible. Instead of trying to come up with a single word with strange spellings and random characters mixed in, using a complete sentence is both easier to remember and much more secure.
3. Never Give Away Passwords
Firstly, you should never give somebody one of your passwords over email, text, or in a phone call. These methods of communication are (for now) inherently insecure. Even if you are sending the information to somebody you trust, it’s likely that somebody is listening in on the conversation
While it is technically possible that one of the services you use gets hacked and your password is compromised, that scenario becomes less likely every day. It’s far more likely that you are targeted by a “phishing” (pronounced “fishing”) attack. These kinds of attacks take the form of emails, texts, or calls from people asking for or demanding some secure information. Most of these attacks will demand credit card information. A common one in the US is getting a call from the “IRS” demanding immediate payment for overdue taxes (the IRS does not do this). However, some clever attacks, usually through email, will try to get your passwords.
Usually, this is done by trying to trick you into clicking on a link that looks like it goes to an official login page for some service, but is actually a front used to extract passwords from unexpecting victims. There are a lot of different ways that this can be done, and it can be surprisingly difficult to identify these kinds of attacks (Google released a short game that exemplifies this more than I ever could). Until better security measures become standard, you should assume that every email you receive is a phishing attempt.
The internet as we know it is less than 30 years old and was originally built to facilitate communication between computer systems at research and government facilities. Security wasn’t an issue then, because all the computers and the physical connections between them were accounted for and easily accessible. Once the World Wide Web started to take off the need for secure communication became clear, and new technologies were developed to maintain security. Even then security was, unfortunately, not given the attention that it deserved.
That is changing. A new generation of web developers is entering the field that grew up with the internet and all the security breaches that came with it. New proposals are being made all the time that will help keep us all safe on the internet, and more professionals are taking corporate data security seriously. That being said, no matter what happens you will always be responsible for keeping your passwords safe, just like the keys on your keychain.
History of Locks and Keys:http://www.historyofkeys.com
History of the Internet:https://en.wikipedia.org/wiki/History_of_the_World_Wide_Web
Disclaimer: I am not a trained digital security professional and the contents of this article are subject to change as our understanding of this field evolves.