The 5 Passwords of life - Keeping your Digital Persona secure and avoiding Identity Theft in the modern day

The 5 Passwords of life - Keeping your Digital Persona secure and avoiding Identity Theft in the modern day

3 simple steps to securing your digital identity



STEP 1


You should have at the most 5 passwords to remember. Each password is different, and those passwords are never used anywhere else (#5 can be stored in your password manager if you don't check E-mail from devices you don't own/control (you should never type passwords into computers you don't own because you don't know if they have virus infections):
  1. Computer Unlock password (Multiple computers - keep them all the same as long as it's not syncing with a web service aka icloud or Microsoft account)
  2. Phone PIN/password Unlock (not your SSN/DOB or anything else found in your credit report)
  3. Password Manager master password (I recommend bitwarden.com). This password should be entirely unique and not a variation on a password that you've previously used ever before.
  4. Primary phone account password (iPhone = Apple account, Android = Google account)
  5. Primary E-mail account used to register with websites (E-mail address you give out to other people/register with websites)
Use Bitwarden to remember the existing passwords you have, you need to be able to use Bitwarden everywhere (and Bitwarden does make mistakes). Once you are comfortable with using Bitwarden everywhere, you're going to start using the password generator in Bitwarden and start changing all your passwords to randomly generated passwords (16 characters unless websites require shorter ones). When you're done, all passwords in Bitwarden will look something like: @5&y@wVqAb!^Ya*6 which follows the great rule: "The only secure password is the one you can’t remember"

STEP 2


Make sure the account recovery on passwords #3, 4, or 5 (above) doesn't point to any account that isn't secured with a 2-factor authentication method. Pick your 2nd factor of choice (OTP dongle - Ubikey, Authenticator App on phone (TOTP), etc.). Be aware security questions are NOT second factor. If you tell the truth to security questions you're actually just providing a single reused piece of information that will allow hackers to reset passwords. They are NOT a 2nd factor, they're just a 2nd password and if reused it's like reusing your password (Tip: make security questions and answers unique per location, and record the unique answers in your Password Manager notes section).

Remember: If you setup 2-factor authentication make sure you have a backup (2 Ubikeys/hardware devices, or print and store offline the QR codes during initial setup).


STEP 3

Everything else goes into your Password Manager, document everything in the notes section as appropriate.
OR
The alternative to using a password manager is go buy a little spiral notebook with alphabet tabs and write your passwords in there (Keep blank spaces between each entry for password changes).

At this point, you're done. No need to continue reading unless you want to understand why and dive a little deeper into understanding why these things are important. 




Making your Password Manager Password

There are many techniques you can use, here's mine for making a good password that you should never have to change because it's only used one place. Local passwords, because of the usual requirement of physical access to the device don't need to be as strong, unless you so desire. 

Always go with your first instinct when answering the questions below (generating seed information):
  1. Give me two words at least 4 characters each (names, places, events, hobbies, interests, something special)
  2. Give me 4 numbers (preferably not your DOB or SSN)
  3. Look on the keyboard above the 1 thru 0, what's you're favorite symbol (preferably not ! because that's used the most).
  4. Pick a number between 2 and 6 (this is how many times you are going to use the favorite symbol to make your password longer, but still easy to type)
Here's an example answer to the above and using it to create a password for you:
  1. opera pumpkins 
  2. 8433
  3. *
  4. 4
Good password examples from the above seed info (from good to better): operapumpkins8433****, Opera8433Pumpkins****, Opara8433Pumkins****, OPERA8433pumpkins****, ****operA8433pumpkinS, OPER84****pump33, oPEr84****PumP33


Minimum requirements: 16 characters (20 + preferred), keep it out of the dictionary. 
Tips: Force yourself to spell words wrrong, you'll usually force-spell it wrong in a different way than someone else. Longer is always better. Put capitalS In fUNKy wAYS THAt ARe UniqUe TO yOU. Bre akup wordsinthepassword. Y0u can l33t sp3ak but kn0w !ts kn0wn by 3v3ry0n3 31s3. Most people put numbers at the end, so you don't. 

Other Tips: Usernames are usually not case sensitive, passwords almost always are.
If you are typing passwords into mobile devices think about grouping the different keyboard mode characters together so you don't have as many <shift>, switching between the different keyboard modes to do. Yes, makes automated password guessing easier, but since we're keeping the length 12+ characters brute force cracking possibilities are limited.

Another alternative to using the above technique, you can go with the haystack approach, keep it 16 characters+: https://www.grc.com/haystack.htm 


Quick Security Test


Answering YES to any of these things means you've failed the test. See above.

  1. Are you typing one of the above passwords into a web browser for something other than the first 3 items?
  2. Are your passwords a variation of an old password? Hackers know we change an old password just a little to "update" it: hello1234, Hello1234, hello1234!, hello7890, hello!1234, HELLO1234, h3ll01234. Variations on existing passwords are broken in seconds on a modern computers with current password analysis techniques http://bit.ly/1PM4ntm .
  3. Have you used your password manager password (or a variation of it) online anywhere?
  4. Can you remember any other website passwords? (if you can remember any other passwords other than the 5 above then all your other passwords probably don't look like: @5&y@wVqAb!^Ya*6 which they should).


----------------------------------------

Why???


Because just like the internet, your digital identity is interconnected.

Let's walk thru a typical hacking scenario. Thieves want money (points/gift cards/shopping sites etc), it's in your bank account so let's go and get it:

Level 1

Using the same password on your bank as other websites? It's probably in a hacked database already. We're in your bank account.

Level 2

Using the same password on your primary E-mail address as other websites? It's probably in a hacked database already. We're in your E-mail.
Search E-mail for bank names. Goto your bank website, click forgot password link. Put in E-mail, reset password on bank account. Delete E-mail's out of E-mail and empty trash (no trace of compromise). We're in your bank account.
Note: Now that we are in your E-mail, we can use Forgot Password on just about any website to login to any service you use. Access to your primary E-mail account fully compromises your digital life. While I'm here I'm going to change password and reset account recovery information so you can't get into your E-mail and stop me from continuing to compromise every account you own using password recovery. Ever try to call google, Microsoft, Yahoo, or any other free E-mail account provider? Let me save you hours of grief, it's impossible. Go hire a lawyer, and wait for 3-12 months to work your way thru the legal system. Let me know how it goes. If you aren't paying for it, once you can't recover an account using recovery information that account is gone. Forever.



More Research:

Deep Dive into Multifactor Authentication

Alternative techniques to making good passwords:

Are your passwords already in a hacker database somewhere?

How many times has your information been known to be compromised?

F5 Labs - Credential Stuffing report of Feb 2021

    • Related Articles

    • Your Digital Life Checklist

      Do you know? David's 3 Rules to Staying safe - Everyone should know this https://www.davidthegeek.com/portal/kb/articles/david-s-3-rules-to-staying-safe-on-a-computer 5 Passwords of Life - How to deal with passwords safely/easily ...
    • What is security? Am I secure?

      Since a picture is worth 1000 words, lets make this easier to understand. Pick your place on the red line. Security Graph
    • Windows XP - End of Life Issues

      The world doesn't come to an end April 8th. No concerns about continued XP use if: If you don't connect to the internet with the machine If you connect to the internet on that machine and it's XP: Follow good security ...
    • Backups - The 3-2-1 Rule: If you don't have one expect to loose your data

      Do I need to have a backup? Throw your computer/electronic device out the window, and then ask yourself do you want to get access to anything that was once on your device. If you say "OMG, I need xyz back!", then you need to have a backup solution. ...
    • Business Hours and Contact Methods with Response Times

      Standard Business Hours Monday thru Friday: 7am-5:30pm After Hours and Weekend Work Short <5min computer questions: No Charge (eg when at the store shopping and you have a quick question) Emergency Work: Billed at after hours emergency rate. Feel ...