Articles/Computers/Security/How To Create Secure Passwords and Prevent Unauthorized Account Access

With our lives becoming more and more integrated with the Internet and our online accounts, it is becoming increasingly important to make sure that your online accounts are secure. Some of us have learned that the hard way. When some people first get started on the Internet, they choose a simple password, not realizing that it makes them vulnerable. Then as they get more online accounts, they tend to use the same password. I have seen some people with three letter passwords or passwords that are simple words, sometimes even "password" itself.

Maybe these people are lazy because they don't realize how much of an impact a compromised password can have on their lives. Picture this scenario. You are using a simple four character password, lets say it is the last 4 digits of your phone number, on all of your accounts. Your email, bank, credit card, insurance, etc. accounts all use this password. Now picture this, a malicious individual, possibly someone you know, guesses your password. Or you enter your password in a phishing email by accident or sign up for an account at an unsecure website.

Now someone has your password. That means they can access your email and all of your accounts. They could change the address for your credit cards and order things. They could lock you out of your email account by changing your password. If you use the same password for your work account or a web server or hosting account, they could even get into that.

That is a pretty frightening scenario, and many people endure it every year. However, there are ways to protect yourself. The first step to take in securing your online accounts is to know how to choose a secure password. You can make your password much much more secure by using lowercase, uppercase, and numbers in it and also making it as long as possible. Another good idea is to use multiple passwords so even if one type is compromised, it will only impact a limited portion of your online accounts.

When it comes to password cracking, it is pretty easy to brute force crack an MD5 hash of a password that is only a few characters long. However, as you add each character it greatly increases the cracking time. Choosing a long password helps protect against brute force cracking as well as someone guessing your password. It is a good idea to choose a password that is at least 12 characters long. Some online accounts will limit you to only 8 characters (who knows why), but you can still use the same password and shorten it to 8 characters to make things easier.

As far as the password itself, it is best to choose an unintelligible mix of numbers and letters that nobody could possibly guess. Some people recommend starting with a normal word and replacing some letters with numbers, such as replacing an 'e' with a '3'. I recommend just choosing random garbage. Make sure that you are using some upper case letters, lower case letters, and numbers so any crackers would have to use a much larger character set. Obviously if you have a random password it isn't as easy to remember, but you can keep it in your wallet or take the time to memorize it.

The importance of using more than just lowercase letters cannot be understated. Think of this, you have a three digit code to unlock a door. The possible combinations is pretty large, but someone could potentially sit there and try every combination and eventually get it. There are only 10 potential numbers that can be chosen for each of the three digits, so the number of potential combinations is fairly limited. Now lets say that you add all lower case letters and upper case letters as potential digits. Suddenly it becomes very unfeasible to find the code by brute force. Entering all of the possible combinations would take a long time. Then imagine adding just one more digit, or 9 more digits. The task of guessing the code becomes even more unfeasible. That is why using numbers, upper case letters, and lower case letters in your password and making it long is so important.

Now lets talk about using multiple passwords. I think the email password is the most important and should therefore be the most secure. Why is this? If someone has your email they can usually obtain the password to any account tied to that email by using the common "forget your password?" option on most websites. In many cases, if you click that link, it sends the password to your email address or allows you to reset the password. So if someone gets into your email address, you are in bad shape. Most email providers let you use very long passwords. I would go with 15 or more characters for uber-security. Also, making a unique password just for your email is a good idea because that means that even if someone gets access to your other accounts, they can't access the holy grail of accounts, your email. Having access to your email account is also important because it is often needed to regain access to a compromised account.

A good strategy of account management would be to have a unique password for every single account, but that is pretty complicated. A more reasonable strategy is to have a highly secure email password, a separate highly secure password for your main accounts (bank account, insurance account, credit card account, etc.), and another highly secure password for all other accounts, such as forums, that are often less secure. The idea here is limiting the potential damage of an account being compromised.

Now, let's talk about what happens if you are compromised. Let's assume worst case scenario, someone gets into your email account, changes the password so you can't get in, and suddenly has access to all of your accounts. This is a very bad situation and it will take time to fix it, but its by no means impossible. First off, you need to regain access to your email and lock this person out. If you have an alternative email and/or the person hasn't changed your account info, you can probably regain access to your first email by using the typical "forget your password?" feature. Otherwise, you will have to contact support for the email provider, tell them what happened, and provide them evidence that you are the owner, such as the account information prior to the break-in and details on some of the emails that you had in your inbox, contacts, etc. Large email providers like Microsoft and Google do a good job with this, but other email providers may have no support at all.

Best case scenario is, you get access to your email again and you are able to reset your password to secure it. Once this is accomplished, you can start resetting the passwords for all your other accounts, but there is one important thing to note. You should always make sure that every account has your current email address correct BEFORE changing the password. Assume this scenario, the person that broke into your email went to all of your accounts and changed the email address to one of their other email accounts. Now you go into these accounts and change the password. One of the accounts sends an email to the wrong email address notifying that the password has been changed. Sometimes this notification email actually contains the new password. Even if it doesn't, they could use the "forget your password?" feature to find out your current password or reset it. Always always always make sure that the email address is correct before changing the password.

Once you have resecured all of your accounts, you are probably OK. If you are still paranoid, you can change ALL of your passwords yet again just to make sure. If they had access to your financial accounts, make sure that no unauthorized activity appears on your statements. Some accounts will show the last time and IP address you logged in with and you can use this to monitor for unauthorized access. If you have a web server, you can check the event log or run the "last" command on Linux to see who last logged in.

The worst case scenario would be you unable to regain control of your email account. What do you do now? Set up an alternate email account with a new unique password, if you don't have one already. Now you need to contact all of the websites where your important accounts are housed, starting with your bank and credit card companies. Tell them what happened and they will change your password and update your email address. You may lose some accounts that lack support, but the important thing is minimizing the damage.

Hopefully this article has been useful in educating you on the dangers of having a weak password and good ways to make a secure password and manage your accounts. As our lives increasingly move into the Internet realm, our accounts become more and more important to our lives. Do yourself a favor and take steps to secure your online identity. It is far easier to prevent a compromise than to recover from one.