In this article, I’ll be sharing some of the information that I’ve picked over the years. I am by no means a computer security expert. All I can really attempt to do is offer you some basic tips in the hopes that you will upgrade your security habits. It is important to realize that no one out there is safe. You can assume that a persistent hacker will eventually gain access to anything, given enough time. You should only hope to make yourself such a difficult target that it would just be easier for the hacker to attack someone else. =]

If you want to know how your password can be cracked, just ask any 8 year old kid. I’m kidding – but honestly the problem is that most kids these days know exactly what illegal things can be done and how to do them. Meanwhile, most of the adults using computers are absolutely clueless when it comes to protecting their information. Even government employees (*cough*Sarah Palin*cough*) conduct their daily business with lackadaisical security efforts. Usually it’s the people who possess a lot of information worth protecting that don’t know the first thing about security.

STOP – I suggest that you read this other article on how criminals get your passwords before reading this post. If at any point while reading this, you become frustrated and think that this is all too much non-sense; you are probably the type of person that needs to read everything in this post – so pay attention.

Phishing & Keyloggers

These threat usually rely on your gullibility. There are two programs that I highly recommend you arm yourself with. I believe that AVG Internet Security (read my post on AVG’s Internet Security software) and RoboForm (read my post on Siber System’s RoboForm software) are incredibly useful tools. I use both of these programs on a daily basis and they have both saved me many headaches. AVG checks all of my incoming emails for viruses, keyloggers, likely phishing scams and other goodies. Should I accidentally find myself on a phishing website, RoboForm won’t let me accidentally fill forms with my precious information.

There are millions of spam messages out there leading users to thousands of phishing sites. These sites are usually only up for a few days before they get shut down, but are constantly evolving. The stories vary but once you learn to spot one type of phishing scheme, you’ll probably notice all of the rest. Even without the helpful software that I mentioned, if you keep the following things in mind, hopefully you won’t be a victim.

Do not click any links that you have received from suspicious sources with suspicious stories. If you’ve been notified of an account problem, you can always call the company to make sure. If you want to login to your account, you can use a bookmark that you’ve used before or type the web address as you normally would. Don’t click the link in the email or instant message and don’t type that link either. Always verify the URL or web address of a page that you’re visiting, before you submit any personal information. Big companies generally won’t operate websites with an IP address as their URL. If you’re visiting a website and it says something like http://209.85.171.100/ in the address bar, you should be careful about submitting any personal information. You might think that you’re visiting bestbuy.com if you saw something like this ‘www.bestbuy.com.ww2.us‘ in your address bar, but you’d actually be on the ww2.us server.

Do not download any programs attached to your emails – unless you trust the source and know that they have scanned their files for any malicious software. An executable, no matter how small, can do serious damage to your computer or track your activity. Do not reply to any emails from princes in other countries who have boatloads of money waiting for you. and please don’t send them any of your hard earned money either.

Stronger Passwords

If you’ve read my article about common password cracking methods, you should know all about the brute force method, dictionary attacks and making educated guesses. Once again, I’m going to suggest that you look into getting yourself a copy of RoboForm – as it will save you a lot of trouble. It generates secure passwords and remembers all of them for you.

The longer your password is, the more secure it will be. Just imagine trying to troubleshoot a password that is 1 character in length and consists of a number between 0 and 9 – pretty easy right? There would only be 10 possibilities; but now imagine trying to systematically solve a password that is 20 characters long. Each character would have the same range of numbers (from 0 to 9) but arriving at the perfect combination of all 20 characters leaves us with 100,000,000,000,000,000,000 (10^20 or one hundred quadtrillion) possibilities.

While computers make it easier to systematically attack all of these possibilities – it all comes down to a matter of time. The point is that choosing a long password will cost an attacker a great deal of time. Keep in mind that the attacker probably wouldn’t know the exact length of your password. This means that they would have to start guessing from passwords with only a few characters, all the way up to those with 20 characters – which ends up adding another 11 quadtrillion possibilities to the mix. When you start adding symbols, punctuation, lower-case letters and upper-case letters to the simple 0 through 9 range that we were using – the possibilities become even more ludicrous.

Try to use as many different types of characters as possible. Some websites don’t allow you to use punctuation (like `, ; and “) or special symbols (like #,$ and %) – but whenever they are allowed, use them! No one is likely to guess that your password is +@wEd&.nJ(uF[4=Nr/’- (this is a random 20 character password generated with RoboForm) and attempting to brute force it will take a bunch of computers or a lot of time.

The ‘Don’t Do It’ Section

Different Passwords for Different Accounts

Yes, you have to. This is the biggest problem for everyone; nobody wants to have all these different passwords for a bunch of different accounts. As I’ve been telling you, you need to get yourself a password manager and it will all be easy after that.

Imagine how stupid you’re going to feel when someone, gets your password for your eBay account somehow. Then that crook gets some smart idea to go see if you use the same login information for PayPal. I’ll bet that the criminal was surprised to find out that not only do you use the same login information for PayPal but for all of the bank accounts and email accounts that are linked to your PayPal account.

Upgrading Your Stupid Password

As I’ve said in the ‘Don’t Do It’ section, I’d rather you not choose a word and replace certain letters or vowels with numbers or symbols. If you are going to stick with one password for all of your accounts but want to be strong, try this. Think of a line or phrase that is very easy for you to remember but isn’t connected to your life in any way. For example, the phrase ‘A Spoonful Of Sugar Helps The Medicine Go Down’ might be easy – so now you would abbreviate this phrase. ASOSHTMGD isn’t a word, so it’s already somewhat strong. It’s also more than 8 characters in length – so that’s good. Now, if you can manage it, try to get a good mix of lower-case and upper-case letters, numbers and symbols in this abbreviation- perhaps A5*sHtM6D. You’ll just have to see how it works with your own special phrase, try a couple different ones.

Assigned Logins and Passwords

Never accept a generic login or password that was assigned to you by a website. If you’re setting up a blog or something and you’re given the username of ‘admin’ or something similar – you need to change it. Likewise, if you just entered your email address as part of the sign up process for some new account and then the website sent you an email with a password in it that they setup for you – you need to go login to that account and change your password.

Your Username is a Password

Your login usually consists of two parts – your username and your password. If you use the same username everywhere that you go – the criminals only have to work on getting / guessing your password. I recommend that you vary your username from account to account whenever possible. This will keep the crooks guessing and working twice as hard to gain access to your data.

Final Ramblings

I guess most people prefer a weak password that is easy to remember over a secure password that is hard to remember. This makes a little sense, considering that a strong password isn’t any good if the user isn’t able to remember it; however, you must keep in mind that a weak password doesn’t really protect your information.

I recommend that you always use a randomly generated password for each online account. Each account that you create should have a completely different password. These passwords should be the maximum length allowed by the website that you’re creating an account with. Your passwords should contain a good mix of lower-case and upper-case letters, numbers, symbols and punctuation. If some o these characters are not accepted, use as many different characters as is allowed by the website. Use RoboForm to remember all of your password and complete all of your logins with one simple click.

For security questions, I suggest that you answer them with the same type of randomly generated passwords as described above. Again, use RoboForm to save these answers in a SafeNote or have RoboForm automatically fill the answers for each security question whenever you’re prompted.

If you’ve been using one password for everything, this might sound very complicated but with RoboForm it’s all very simple and way more secure. You should download your free version of RoboForm right now. Or at least read my detailed article on RoboForm and it’s many uses.

You don’t need someone’s password to access their personal information, steal their identity or just ruin their day. Attacking someone’s password, however, is very common and it may be the first step that an unethical person takes to mess with your life. I would just like to discuss some of the ways that a criminal might try to access your documents or online accounts.

Through Trickery (Phishing)

With the ‘anonymity’ of the internet, everyone can pretend to be anybody. Anyone can easily contact you with some type of story designed to trick you into sharing your personal information. These communications will usually come in the form of emails, instant messages, links on social networks, and maybe even some phone calls. Regular people are able to send you an email that looks just like the emails that you have been receiving from your bank, eBay, PayPal, and so on. Probably the most popular storyline in any of these communications is that there is some type of fraudulent activity or other problem with your online account. An official looking email is usually sent out in a spam-like fashion, and it’s purpose is to ‘alert’ you to this (fake) problem with your account. Now that you’re worried about the account that’s in (fake) jeopardy, you will be encouraged to click on a link so that you can be taken to the website where you can resolve this issue. This is what’s known as phishing (and with good reason) – basically the criminal is casting a line and waiting for a sucker to take the bait.

When you click on the link that’s supplied in the email (or other communication) – you are usually taken to a counterfeit website that looks exactly like your online bank, stock broker, email provider, or whatever company the crooks are pretending to be. This website is fake and has only one purpose; to capture your login or other sensitive information. Everything relies on you being flustered by the original alert in the first communication. The criminals want you to concentrate on trying to fix this ‘problem’ or ‘fraud’ that is associated with your account, so that you aren’t paying attention to anything else. Once you’re good and frantic, the link directs you to the website that looks exactly like what you’re used to and you just start entering whatever information it prompts you for. This information goes directly to the hooligans behind these fake emails and website. They use your information to login to the real website and access your identity and/or financial data.

Read my other article to learn how to protect your information.

Venturing a guess

The closer you are to a person, the easier it is to guess their password. I know that you think you’re pretty smart and you have an original password, but as Tyler Durden would tell you – you are not a beautiful and unique snowflake. Most people use the same crap when it comes to creating passwords.

When guessing a password, you might as well start with names. People like to use the name of their pets, lovers, children, friends, relatives, and so on. Names would also include your favorite celebrity, sporting team, athletes, school, city, etc. Once you’ve failed with the name game, numbers are your next best bet. People might use important dates, digits of their social security number, license plates, or even the ridiculously stupid ‘123′ and such. When you come up short with numbers alone, you should try a combination of important names and numbers. After that, you can try passwords comprised of one word or something short and very simple like qwerty, password, passcode, admin, love, letmein, money, secret, or even a swear word. If your password isn’t one of the guesses mentioned above, I applaud you.

Like I said, the more you know about a person – the easier it is to guess their password. Criminals don’t necessarily need to know you on a personal basis in order to obtain this type of information though. A lot of background information can be found on the web for free and almost anything else that can’t be found, is available for under $50. To a criminal, it might be worth the $50, depending on what they can get after they have your online accounts.

Keep in mind that most websites require the use of at least one number in your password. This means that most people will simply add a 0 or 1 to the beginning or end of their password. Obviously, any guesses would need to conform to your account’s specific password requirements. What I mean is that if the website requires that your password be at least 6 characters long and include at least 1 number – all of the guesses would be adjusted to meet that criteria.

Read my tips for choosing better passwords.

Brute Force Attacks

Imagine that your password consisted of only 1 lower-case letter in the English alphabet. A piece of brute force software would systematically attempt all of the 26 possibilities until it found your password. For the sake of argument, we’ll say that this program can attempt 1 password a second. This means that in a maximum of 26 seconds, your password would be cracked. While it may only take 1 second if your password was the letter ‘a’ – assuming that the brute force started guessing from A and finished with Z.

Now, let’s pretend that you upgraded your password of 1 lower-case letter to a 10 character password consisting of upper and lower-case letters. There are 26 lower-case letters and 26 upper-case letters, so each of the 10 characters in your password would contain 1 of these 52 available characters with the possibility of having duplicate characters. To see how long this would take to crack we’ll start with what we know so far. (a) = 52 and (b) = 10. We’ll say that this evil person is able to attempt 1,000,000 passwords per second, which isn’t uncommon (against a password hash) – and he’s working with only one computer. These assumptions give us (c) = 1,000,000 and (d) = 1. Now that we have everything we need, let’s figure out the maximum amount of time that it will take for our criminal friend to crack our 10 letter password with the brute force method. The formula goes like this, (a) to the power of (b) divided by (c) which is divided again by (d).

Our calculation shows that the brute force could take a maximum of 144,555,105,949 seconds. This is an equivalent of 2,409,251,766 minutes, 40,154,196 hours, 1,673,092 days or 4,584 years. For comparison, a password containing 6 lower-case letters would only take 5 minutes to brute force with the same attempts per second. Keep in mind that your password is likely to be solved before the very last attempt; and the bad guy could always use multiple computers to cut down on the time that it would take to run the brute force.

Read my other article to learn how to create stronger passwords.

Dictionary Attacks

Somewhat similar to brute force attacks, dictionary attacks will attempt to guess your password by submitting word after word from a huge list. Dictionary attacks will usually result in a faster completion over the brute force method because it only guesses passwords that are more likely to exist rather than every single possible combination of letters, numbers and symbols. Since most people choose simple passwords that are fewer than 8 characters – these passwords are usually very easy to predict. All a crook needs to do is create and maintain a custom list of common passwords (with a few variations of each) and then unleash it on some unsuspecting target.

Don’t let the word ‘Dictionary’ fool you – it’s more of a custom list that is downloaded off of the internet or created by the criminal performing the attack. The password ‘iloveben’ wouldn’t be found in your common dictionary, but it might be included on a list used for dictionary attacks. The beauty of a dictionary attack is that the criminals can tailor their list to a particular person or websites that they want to attack. If the bad guy is trying to gain access to an administrator account on some website about butterflies, the bad guy can simply import butterfly related words and phrases to the password list being used for the attack.

Read my other article to learn how to create stronger passwords.

Password Reset

It appears that this method may be the easiest one that someone can use to gain access to your online accounts. We have all used the “Forgot your password?” option at one point or another. This is where the website that you’re trying to access will ‘do you a solid’ and email your old password to you or hook you up with a new password after you answer some security questions. The trouble with this reset function is that the security questions are usually pretty dumb. Anyone would be able to reset your password if he/she can find out the name of your dog, where you attended school, where you were born, what streets you’ve lived on in the past or some other trivial crap.

This is where your extravagant blog posts or information on myspace, Facebook or Twitter come into play. You have probably already posted something about every answer to your each of your security questions without even thinking twice about it. People have even started stockpiling this information by sifting through webpages and social networks to build databases of common pet’s names, and related content that they can then sell to information-hungry criminals.

Read my other article to learn how to be safer online.

Recording your keystrokes

As the name suggests, a ‘keylogger’ will maintain a log of the keystrokes made on a given computer. This means that whenever you type your login information, it is recorded and stored on your computer for later review or secretly transmitted to the person who wants to steal this information. Keyloggers are very common on public computers (such as those in an internet cafe) and work computers.

It could be a piece of software that pretty much runs invisibly on your computer. Most of the time, you will not see a keylogger program running on your taskbar or system tray. Sometimes keyloggers are hidden inside of other programs or renamed to look like other software, which makes it hard for a human to detect. These keyloggers could accidentally be installed by you, your family members or perhaps a friend. Another possibility is that someone intentionally installed the keylogger on your computer.

Another type of keylogger is a little piece of hardware that is physically connected to your computer. It could be as simple as a USB stick that is plugged into on the back of your computer or it could be located inside of the computer case. Just imagine an unscrupulous computer technician working at your local repair shop, attaching a keylogger to every computer that comes his/her way. Whenever you take your computer in to get fixed, he/she downloads your keystrokes and then accesses your accounts or sells the information.

I suggest you download the free trial version of AVG Internet Security and scan your computer.

Final Ramblings

Once you have read how these criminals attack your password, it’s pretty easy to figure how to prevent them from doing so.

Find a strong internet security suite to protect you from spam emails, fake websites and keyloggers. Don’t download any programs attached to communications from suspicious sources. Don’t click any links in any private messages that are notifying you of a problem with your account. If you think that there might be a real problem with your account, manually type the website’s address into your browser and login to fix it. Don’t tell anyone your login information; even if they say that they are some official person working at some official company. Companies will never ask you for that kind of information, they already have access to it and they can even reset it if they need to.

Create long passwords that use as many different characters as possible. Use a different password for every account that you have. If you need help remembering these passwords, you should definitely get your free copy of RoboForm and / or the portable version, RoboForm2Go.

I would recommend that you use strong passwords for your security questions, but that’s because I keep them saved in my SafeNotes with RoboForm. If you don’t want to use random characters for your answers, I might suggest that you lie to them. Tell them anything else that’s easy to remember, as long as it isn’t the real name of your dog. =)

If you have the time – read this next article on creating and maintaining good passwords.