Secure your password

For 18 years already, October has been known as Security Awareness Month. And while we at Orange are with Orange Cyberdefence rated as number 2 of the top 250 MSSPs by MSSP Alert, it is not only a case of having a good security provider helping you and your company to keep out cybercriminals. It also involves you, both in a professional and in a personal context. And there is one critical area on that: Passwords! So let's talk about them a bit.

A small history of my password(s)

Like everybody, my passwords started like anybody else his / hers: a word (not one of these, but these lists exist still for a reason unfortunately, even now...). When that wasn't enough to meet the 'password requirements', I replaced some letters with numbers (eg. l (the letter L) became 1 (the number one), or an i became !, to introduce a sign instead of just numbers & letters. To ensure I could remember these passwords, I kept the passwords across multiple accounts more or less the same. Of course. And this worked fine, until the length of password started to exceed my 'default' password... Oh how many times I cursed a new website, because this way I started to get multiple 'deviating' passwords. Luckily my mind was (is) still with me on remembering more than one (or even 5 - 9) things :-) (Yes, passwords are longer term, so that article doesn't really apply, but anyway)

Time for a management system of my passwords

With the rise of webshops, internet and social media platforms, the number of passwords started to explode. Because of course, every one of these damn sites had different password requirements, and so my list got too long to really remember which one is which again. Luckily, this was the time I got acquainted with some (online) password managers and I started using / testing a few of them (For the life of me I cannot remember which ones, but lastpass.com was for sure one of them). And to good avail, certainly in those early years when everything online was still free.

When the subscriptions started to come up more, or my requirements became more demanding, needing the premium versions of the password manager I was using, I usually tended to look over the wall again to another one. And while all (well, most ...) of those online password managers were easy to use, I started to realize, just like on my online social media profiles, that your data was never 100%. So I became interested in the offline alternatives out there. and to date my favorite is still Keepass!

I'm actually super happy with Keepass, the tool has all types of plugins available, it is fully open source (no, I have not gone through the code myself to validate there is not 'hidden backdoor'...) and I have not found any blocking point to date which I have not been able to resolve. But, it is not the tool for all people out there. I have the knowledge and capabilities myself to ensure the database is securely synced to my phone, private and professional laptop without hickups, but for a n00b, this isn't super straightforward thing to do, so you will quickly need to end up with an online service to reach the same. And that's in itself not completely wrong, but just realize that even one of the most accredited online password managers, lastpass.com, was hacked. So just be careful what you decide to do!

Back to my passwords

So when I started using a password manager, I was still at a 'variation' of my original long lasting password I first created around the year 2000. In comes the password generator of Keepass. With that, I started to diversify my passwords for some websites, still having some old passwords floating around in cyberspace. It took my quite a while actually to really start to realize how dangerously unsafe those accounts with my old password actually were. Until I started to use haveibeenpwned.com. Just try it, insert your mail address on that website (yes, it's safe!) and see how many breaches there are.

That's when I realized it was about time to look back into the past and change all my passwords. Luckily, I started to add old accounts to keepass while I was going about, ordering stuff in webshops, logging into my social media as well as adding new accounts with auto-generated passwords, so I could just search my DB and look at those accounts still using the old password(s). My accounts online all use different passwords now, my keepass database is locked behind a very strong mechanism and I started to implement password rotations on several accounts, something I will do more and more in the future.

Next level security

Whenever I see the option available for two-factor authentication, I activate this. This can either be based on mail, sms or a third party authenticator app. Not all websites allow it yet, but whenever you see the opportunity to do so, please, add it! It will cost you a few seconds extra to log on, but at least nobody can for example log in to your paypal account and transfer money to whomever they want, as you first need to add the authentication code, but it's definitely worth the effort!

In recent times, phishing is one of the most common threats in the cyberworld, which put me to thinking. I have in total 500+ online accounts with logins and passwords (I buy a lot online, but even before or without buying, I sometimes create new accounts on websites for comparison of products, putting things in my basket or whatever reason) On a professional level, I gathered with the last 4 companies I worked, over 150 different accounts. (yes I know about Single Sign On, I often just create different accounts on for example our customer portals to see what a customer can see)

So the next level security I started to implement, is only on that personal part of my password, and it it: Custom mail addresses. On one of my mail domains, I created a catch-all mailbox. With that, I create my accounts online for websites, not with my personal mail address, but with a custom mail address for each website behind a catch all mailbox. Should I notice spam coming in on mail address website2015@domain.com, I can identify that website by the mail address, block all mails to website2015@domain.com and adjust my password very easily for that website alone. When you get spam on myname@domain.com, you never know which site is breached and as such, cannot adjust or protect you from it.

Of course this step is probably overkill for most of my readers, but just putting it out there :-)

Great passwords without using a password manager

Let's say you are afraid of using online password managers and are not able to get a sync setup between all your devices (please don't ever use your browser to store them!), but still want to have a good password attitude, you might ask me if that is possible at all. And the answer is: YES!

Let's take a step back to your old (or maybe even current?) habits of password adjustments: password became password1, Password1, Passw0rd1!, PassW0rd2022!, ... While that last one is rather difficult to breach by brute force (202k years), with one leaked database and some good insights from the hackers (they all know we use the above type of methods!) they can probably still breach your work or private accounts. So how can you use this above bad method of just adjusting passwords to your benefit?

Well, you need to create a unique password for each service, so let's try to create a standard 'formula' in your head (still the safest place to fence you off from cybercriminals!) to create your passwords. I'm giving you an example (not mine, nor should it become yours). Let's use amazon.com as an example webshop we want a password for.

Step 1: find a base password part you easily remember. The name of the dog you never had for example: Bobby

Step 2: prepend it with the first and last letter of the domain name: AmazoN : ANBobby

Step 3: count the number of letters of the domain name and add that to the back: Amazon = 6 : ANBobby6

Step 4: add a specific sign at the end, let's use the question mark in this example: ? : ANBobby6?

Step 5: take the letter the most at the back of the alphabet occurring in the domain name and replace it with the number (a = 1, b = 2, ...) and add this to the back: amaZon, z = 26th letter : ANBobby6?26

Step 6: to top things off, add an extra fixed word, but leaving a space between your password up until now and that new word (there doesn't have to be a personal connection to this word, the less it makes sense, the better): for example renaissance : ANBobby6?26 renaissance

We now have a password that is 23 characters long, is unique for each and every website, and which can be remembered very easily by using the same method each and every time. And when creating an account on snapchat, the password would become something different, STBobby8?19 renaissance, by using that same method.

When logging on to that website again, you can rebuild this password without mistake. Yes it's a bit of a hassle, but hey, none of us want to have our online accounts broken into. Because if it's easy for you to fill in your password, it probably is for hackers as well. And when only using one password (even if it might be brute force proof), the hacker who gets your email / password combination at hand (it's for sale on the dark web for sure), can easily log on to all your accounts! So best of luck in securing your accounts!

PS: Any other ideas, tips or tricks, leave them in the comments!