Passwords: Your first line of defence – #EROTICSIndia
by Richa Kaul Padte
This blog post is sixth in a series of ten blog posts to report on the EROTICS India workshop, recently concluded in Delhi.
A password is your first line of defence – for your computer, email, and information. So firstly, make sure your computer is password protected (under the ‘admin’ account option), so your prying brother doesn’t get his hands on that flyer for the new weekly queer event. Or those letters from your lover. And if you really want to keep your information safe, you don’t just need a password, but you need a really good one.
Think about your current passwords. Did you use the name of your first pet (that your friends, neighbours and parents’ colleagues used to come and play with)? Does your web browser store your passwords? Does anyone else know your password (including your really amazing boyfriend because you’ll be together forever and there’s ‘nothing to hide’ anyway)? If you answered yes to any of these questions, your password is not able to defend you very well!
To protect your information and yourself, make sure you develop a strong password, and never, ever tell anyone what it is. If a colleague needs something from your account, for example, you can set up a system whereby they can go into your email for a set period of time, for which they don’t need your password. Your really, really strong password, which will:
- Be long;
- Have upper and lower case letters;
- Have symbols and numbers;
- Not be made up of identifiable dictionary words;
- Not be easily linked to you;
- Be different for each of your accounts;
- Be changed regularly.
Why, you ask?
If someone wants to get into your account or your computer, they’ll most likely use a password-cracker programme, which will run through all the possible options of what the password can be. The more you mix it up, replacing letters with numbers or adding symbols, the longer it will take for the programme to break in. And if it’s really strong, it may take them a few lifetimes to figure it out!
Some email systems have a 2‑step verification process to log in – your password and your phone number — which means that unless someone has both your password and your phone, they won’t actually be able to get into your email. Gmail is one email provider that gives you this option. But before selecting it (or deciding whether you should un-select it), consider the fact that when you give Google your phone number, it is the only thing that connects your email — and the information, messages and people stored inside – to who you are in real life. Because don’t forget, your mobile phone requires real-name registration, including your home address and proof of identification. If providing this clear link (to a large global company) between what your email says and who you are makes you uncomfortable, then you may want to rethink this option. Have you heard the saying, ‘If it’s free, you’re the product’? Google is making a lot of money out of us, so you might not want to throw in your personal details for not-so-good measure. But also keep in mind that what you do online can almost always be traced back to you through your IP address, so not giving Google your mobile number doesn’t mean that you can be incognito on the web.
Another sure-fire (as sure-fire as anything can be) way of having a really strong password and a safe place to keep it is to use KeePass. KeePass is a programme you can install on your computer that allows you to create long, strong passwords without having to remember them, and gives you a secure database in which to store them. To do this, it encrypts your passwords. Encryption is basically a coding system that can’t be solved that easily without knowing the clues to the puzzle. KeePass encodes your passwords so that hackers cannot read them, but you can. To understand how this works, here’s a simple exercise:
Think of a passphrase.
So we’ll use ‘Rightherewaitingforyou’
Replace second character with a number, starting from 1. R1g2t3e4e5a6t7n8f9r1o2
Now, replace every third character with an alphabet, starting from ‘a’. R1a2tbe4c5adt7e8fer1f2
So we started off with a simple phrase from a song made up of common dictionary words. And we ended up with, well, nothing remotely understandable. Each step we took (replacing the characters according to a certain pattern) formed a certain algorithm. And unless you know what it is, you can’t figure out what the password is. So even if someone knows Richard Marx is your favourite singer, to get from step 3 to step 1 could take a password-cracker programme years longer than the hacker is interested in your data. One function of KeePass is that it generates passwords for you from different, long and complicated algorithms, making your first line of defence as strong as it can be.
With so many different passwords, what you are going to need is a safe place to put them. And a piece of paper in your sock drawer does not count. What KeePass also offers is a place to safely store all the complicated passwords it has created for you (or your existing passwords). It is protected by a ‘master password’, which is in fact, the only complicated password you ever need to remember. Once you’ve got that down, the rest are all safe and protected for your eyes only. You can store KeePass on your computer or carry it on a memory stick, but don’t forget to back up the database, because like anything else, something can always go wrong. It can initially seem like it’s taking a lot of time to use, because every time you need to log into something you will have to open the programme, but if you’re serious about keeping your information safe from prying eyes, it’s only a matter of changing your habits slightly.
For more help installing and using KeePass, check out this guide on the Security in a Box website from the Tactical Technology Collective and Front Line Defenders.
Or visit the KeePass website to download it for free onto your computer.