Avoid Identity Theft With Secure Passwords

How to Avoid Identity Theft With Secure Passwords

Millions of people have their identity stolen online. At best, it can be a huge headache, requiring you to contact your financial institution (in the case of an online banking password steal), or the owners of the online service you're using. At worst, you could loose permanent access to the services you use, and may not be able to recover all of your financial losses. Fortunately, there are a few easy methods you can use to help minimize that risk. The first is of course common sense, followed by encryption, and secure passwords.

Common Sense Security

The first rule of online security and privacy is common sense. Most cyber (and regular) criminals are creatures of opportunity, and will go after the easiest and most vulnerable targets. Car thieves tend to steal older cars because they have fewer anti-theft features, and are therefore easier to hotwire or steal parts from. Muggers are the same way. If you look like you can defend yourself in some way, you're much less likely to get robbed. The criminals will simply wait for an easier victim. The first cardinal rule of security is that nothing is completely safe. All you can do is make the bad guys think that there's someone else out there who's an easier target than you are.

Crime today is focused primarily on fraud, rather than theft and physical violence. If you have to pick your problems, fraud is a good one to have, relative to the others. That said, fraud has been on the rise for years, and is so much easier in today's connected world. According to the Federal Trade Commission, identity theft has increased from about 31,000 reported cases to over 270,000 cases per year. And those are just the ones that the desk-jockies at the FTC bothered to record, let alone investigate. Clearly, the bureaucrats in Washington, DC can't help you, but you can easily help yourself. Be (slightly) paranoid. If the email looks fraudulent, it probably is. If that unknown shopping site you're on looks shady somehow or unexpectedly redirects you somewhere, it's probably fake. Computers these days are quite secure from a software standpoint, so criminals rely on humans to make dumb mistakes instead.

Use Password Encryption & Filters

Using common sense will help you avoid 99% of the dangers out there, but it won't always save you from the slightly more savvy cyber criminals who use sniffer software to intercept your data. If successful, they can either steal your personal information for use later, or they can create a "man in the middle" attack in which they trick your computer and/or the server you're trying to connect to into providing info that would not normally be provided to third parties. The best way to avoid this is to use encryption. Again, any encryption system can be broken, but as long as you're using it and the sucker next door isn't, your chances of avoiding information theft is greatly reduced.

Step one is to protect your general browsing and email security. If you're like most people in the world, your email client and web browser are the two applications that connect to the 'net more than any other. Protecting email is usually easy. Enable encrypted connections in your email client's settings. Use TLS if you can, and SSL if you have to. This secures your connection from your PC or mobile device to the email server, which will deter localized attacks on networks you don't trust. Users who want "end-to-end" encryption should use something like Enigmail. To protect your browser, I recommend the Firefox plugins Adblock Plus, NoScript, and HTTPSEverywhere. This trifecta will not only protect you against the majority of sneaky exploits, but will also tend to speed up your browsing.

It's also a good idea to avoid identity theft by securing your wifi connection. An open wifi hotspot can cause a number of issues. First, mobile hotspot features on smartphones and mifis usually have a data limit after which you start spending more money, or have speeds reduced. If you're using lots of data yourself, that's great, but why allow free riders to jack up your bill with service you didn't even get to use yourself? More importantly, open wifi leaves you open to intercepted data, and can even lead to you being blamed for criminals doing things through your connection. Relatively few lawsuits have been filed to punish the owners of open wifis used in criminal activity, but why take that risk?

There are two ways to prevent unauthorized access to wifi. The first is to create a secure password. The more random the better. I prefer GRC's Password Generator because the passwords generated are high entropy and are the maximum length possible (64 characters) for WPA2 wifi encryption. For added security, or to restrict network access to certain devices, you can also enable MAC address filtering. Most wireless routers worth their salt support this.

How to Remember Your Password

For maximum security, you should have a different 8+ character alphanumeric password for each account you have. This is not always practicable for everyone, given how many accounts the average person has these days. Password keeper apps can be a good solution, as you only have to remember one "master password" which encrypts a list of all your other user names and passwords. This solution is easy, but has obvious drawbacks. What do you do if someone steals that password and gets access to all the others?

Clearly, higher security requires keeping your passwords separate. But how can you do this and still be able to remember them? There are a couple of different ways. First, you can go with a "variations on a theme" standard, in which you take a standard password, say 1234abcd, and add some unexpected "padding," such as "++**." As long as no one knows your standard passwords and padding preferences, your password will be very difficult to break by brute force guessing. See this page for more information.

You can also use the "password shortcut method." This technique lets you create a standardized "mnemonic" of sorts for your password combos, allowing you to have them written on a sticky note if you want. "How can you break the cardinal rule of basic password protection," you ask? Simple. Let's say your standard password is "1234". You want to make it more secure by adding "abcd." You also want to make it somewhat secure by having different versions of this password for different sites, so you come up with "1234abcd" and "abcd1234." You also want to have a way to remember them, but you don't want to have to write them down on paper, and you don't trust password keeper apps. Isn't it impossible to have security and ease of use? Aren't they mutually exclusive? Yes, and here's how:

Creating An Easy to Remember Password

You can create a mnemonic for these passwords by taking the first character from each password group and creating a string. You can then combine them, creating something like "1a" and "a1." As long as you always use the same password blocks, you can create whatever kind of password you want. You could even do "1aa1," or "a1a1," which would translate to a longer, more secure password of "1234abcdabcd1234" and "abcd1234abcd1234," respectively. If you want to be really crazy, you could add some unique characters to your standard password blocks for added security like this: "1aa1357." This would be "1234abcdabcd1234357." This will create a very difficult to crack password, but one that's still easy to write down somewhere, or use as a "secret question" answer.

The example above works great as long as you only have a few password blocks that are used consistently. If not, you may get confused later as to what the mnemonic is supposed to mean. This can become a problem if you've got passwords on different sites, some of which have different password requirements than others. A way around this is to put in a consistent "marker" character that you never use in any of your passwords.

Let's say you prefer the usual 1234/abcd combo, but some site makes us use at least one capital letter. An easy solution would be "A1234abcd," which you could write as "A.1a." As long as you always use a period (.) as your symbol for "the character shown in front is a literal," you're good to go. Just don't use it in any actual passwords, unless you feel like confusing yourself a year from now when you have to answer the password reset question.

That's it! Now you can have your secure passwords and remember them too! Below is a simple overview of what we did:

1. Create some simple password blocks: "abcd" and "1234."
2. Note the first character of each block. This requires each block starting w/ a unique character, of course.
3. Create a password out of one or more block iterations. Ex: "1234abcd1234."
4. Create mnemonic to help you remember. In this case, our mnemonic would be "1a1."

Limitations: This strategy generally works well, and lets you create fairly secure passwords in an easy to remember way. It does have a couple of limitations, however. First, repeating patterns aren't as secure against brute force attacks vs "truly random" passwords, assuming the same password length and same character space (ie, same # of capital/lower case letters, numbers, and symbols). Also, you can't have two password blocks starting with the same symbol. For example, you couldn't do "1234" and "1432" because there would be no way to tell if "11" translates into "12341432" or "14321234."

One could get around these issues to some extent by making the mnemonic pattern "first two characters of each password block" instead, but at that rate you would need to think about whether it would just be easier to memorize the whole password. If grandma and uncle Steve improve their passwords to something better than "steve123" or "mydogsname," this article has done something good for the world.

One benefit of this method could be its application for use in steganography. Instead of having a "password keeper" database with one encrypted master password that everyone recognizes as something to crack open, you could have your passwords and/or usernames as a stream or tapestry. I can think of several specific ways you could do this, but the simplest would be a table or spreadsheet with one or more columns of mnemonics, along w/ random "junk" such as a column listing fake cost centers in the accounting department for that company you may or may not actually work for. If you wanted to take it to the next level, you could integrate this data into a visualizer like Vash.