How to protect your online accounts — a guide for regular people (not techies)
Recently, a friend asked me about this chart, showing how quickly a hacker can guess a password:
She had two questions:
Is this accurate?
If so, what to do about it?
The answer to first question: Yes, it’s accurate. If anything, it’s worse.
Some people blow off password security with something like, “I don’t care if a hacker sees my vacation photos.”
And you’d be right. But that’s not what they’re after.
They want your money. In your online bank accounts, in your investment accounts.
Your life savings. protected by… a password.
I’m not exaggerating. In 2021, North Korean hackers stole $400M. In 2016, North Korea tried to steal $1B from Bangladesh, among the poorest countries in the world, to pay for things like Kim Jong-un’s private jet.
Talk about an asshole move.
If these hackers have no compunction to steal from poor Bangladeshis, they have zero hesitation about stealing from you.
Most of this theft comes from Russian, Chinese, Iranian, and North Korean hackers. These countries see you as a source of income to fund their authoritarian governments.
That’s what you’re up against.
You’ve probably already been hacked
Today, hackers get lists of literally hundreds, thousands, even millions of credentials on the dark web, which other hackers have posted. Here are just a few of these hacked credentials collections.
For example, the password for firstname.lastname@example.org is already published on the dark web, according to security research site Have I Been Pwned. (Pwned is security-speak for “owned”, as in, I own you.)
Because of this, any hacker can get Mr. Doe’s password.
Now, if John Doe has changed his password since it’s been stolen and published, he’s okay. But if he hasn’t, hackers can log into whatever accounts use that stolen password.
Your turn: look up your email on Have I Been Pwned
- Point your browser to https://haveibeenpwned.com/
- Enter your email address
Wait, is this site sketchy?
Great question! If you’ve asked it, you’re already developing a security mindset, which is awesome.
The answer: No, not sketchy.
HaveIBeenPwned is run by Troy Hunt, a security researcher who runs this site. He’s kind of a big deal in the security world given the value of his website. Here’s his LinkedIn profile, Wikipedia page, and home page. Legit, right?
But who cares if hackers see my photos
And I don’t either. I don’t care if someone hacks into your Giphy account to look at animated cats — but if your Giphy account uses the same password as your bank, you’re hosed.
Here’s the difference between you and me:
You probably use the same passwords for random consumer websites and financial sites that really matter to hackers.
But I don’t. (And I’ll show you my techniques below.)
Why does this matter?
Let’s say you, me, and John Doe all use the same consumer website for photo sharing. It gets hacked. Because all sites do. (Even the NSA.)
So, hackers get John's username and password for that consumer website. Let’s say John’s username is email@example.com and his password is fluffybunny.
Hackers will write a software program to take that same username/password combination and try it to log into:
… and so on, going down the list of the biggest banks. Then they’ll repeat for all the other username/password combinations they have.
And they have a lot. How many? Our boy Troy says there are over 11 Billion hacked username/password combos:
Most of these login attempts fail. But that’s okay. Software programs run tirelessly, 24/7. If just 1% work, that’s enough to set up a funds transfer and steal money.
And if your bank account is hacked — do you think you’ll get your money back from hackers backed by an adversarial foreign government armed with nuclear weapons?
Good luck with that.
You’re literally dealing with nuclear-armed gangsters.
So what should you do?
If you want to protect your money from hackers, follow these principles:
Unique and strong
Have a UNIQUE, STRONG password for EVERY website you use.
Let’s repeat that:
- Unique: different password for each site.
- Strong: hard for a hacker to guess.
- Every: do this diligently for every site.
Since every website will get hacked, you need to firewall the damage from a hack to just that one site.
Write it down
Using a different, strong password for each site means you cannot remember each password. You need to write it down, in an app that’s well-protected, from which you can copy/paste.
I’ll explain below which app, and what I mean by “well-protected”.
Max out the length
When you register for a website, max out the password length. Start with the longest possible password in the 1Password password generator, which is around 60 characters, and cut it down if the password is rejected for being too long. Here’s what one of their long passwords looks like:
Recently, I registered for the California DMV site. They rejected my 60 character password. The error message stated that the max length was 20 characters, and had to include a number.
So I copied and pasted my 60 character password into a text editor, took the first 19 characters, and slapped a number at the end. Continuing with the example, here’s what that looks like:
(Obviously, none of the passwords listed here are my actual ones.)
On the other hand, many companies now support long passwords. Google’s one example; your Gmail account should have a 60 character password (if not longer).
Start out long, then cut down as needed.
Most of the time, you won’t be typing out my passwords. You’ll copy and paste. It’s the same action to copy and paste whether the password is 10 characters or 60. So make it as long as you can.
Use the keyboard
Whatever app you use to store your passwords, you’ll have the ability to use the keyboard to select and copy the password, and then paste it into a web page.
Learn these now, because it will be more reliable to select all with the keyboard, making sure you don’t miss any characters. And copy/paste is a lot faster with the keyboard.
On a PC, your keystrokes will be:
- Select all: ctrl-a
- Copy: ctrl-c
- Paste: ctrl-v
On a Mac:
- Select all: command-a
- Copy: command-c
- Paste: command-v
Nerd alert; feel free to skip
Some of you might look at the chart at the top of this post and notice that an 18 character password will take trillions of years to crack. That’s true. But computers are always getting faster. And quantum computers might end up being really fast, to the point where the US government is concerned.
Long story short: the time it takes to copy and paste 18 characters as it is for 60 characters. So just make it long.
Easy to type
Some websites stupidly make it so that you can’t copy/paste into the password field. To handle these cases, I set up the 1password generator to create a “memorable password” with words separated by dashes, with a capital letter thrown in. Here’s what that looks like:
Breaking up a long password with dashes means that you can easily check each “chunk” to ensure you’ve typed it in properly.
Why uncheck “Full words”? Because there are only around 4000 four-letter words in a typical English dictionary. But if you ignore that constraint, you can make many more words. That makes it harder for a hacker’s computer program to guess.
Reduce Apple iCloud risk
For passwords, one of the biggest risks is around Apple iCloud. You can’t copy/paste these into your phone. Nor can you see what you’re typing aside from black circles. Here’s the screen I’m talking about:
It’s easy to mess up typing a long password, so you have to go with something easy to type, yet short enough not to mistype.
What I do is use the 1password generator to generate three words separated by a dash (example: Darm-twec-chum) and add a number at the end (Darm-twec-chum9). Of course, this password is unique to Apple iCloud.
Here’s what that looks like:
It’s frustrating that Apple impedes security for billions of users by preventing us from discouraging us from using long passwords, but such is life.
Use text messages in addition to passwords
Whenever you can authenticate using a text message sent to your phone, in addition to your password, use it. This way, even if a hacker gets your password, they still can’t get into your account.
(You might have heard of this as 2-factor authentication or 2FA for short.)
Often you’ll see a checkbox saying something along the lines of“Don’t ask again for this device” or “Remember this browser”.
When you check this box, it means that you won’t get a text message next time you try to log in. If someone steals your laptop, they’ll be able to login with just your password; no text message will be sent.
For this reason, I prefer to leave these boxes unchecked. It’s one more barrier for a hacker. Again, we’re talking about motivated, state-sponsored hackers.
Use FaceID to log into apps
Some iPhone apps support the iPhone’s FaceID to log in. This is a great thing to set up whenever possible— convenient and secure.
Some apps, like WhatsApp, prompt you to use FaceID, making it super easy to set up. Other apps, like Dropbox and Evernote, bury this setting in the preferences for some reason, making this great capability less frequently used.
As I write this in 2022, there are dozens of iPhone apps that support FaceID, including:
- Apple App Store
- Apple Wallet
- Google Authenticator
- Google Chrome
It’s hard to overemphasize how great FaceID is for security. It’s strong and simple. If every website supported it, I wouldn’t need to be writing this article!
Store your passwords
Where to store your passwords?
Some people like Evernote, since it is available as a phone app, laptop app, and website. This makes it more flexible to copy/paste passwords.
Google Sheets is another good choice as a password repository, given Google’s strong security practices, ability to share sheets for shared logins, apps for iPhone and Android, and support for text messages in the login process.
Notion is another app that’s recently gotten attention, though I haven’t used it.
Secure your password store
Whatever you use to store your password, you need to heavily secure it using the techniques above. Long, unique password. Text messages.
You’ll find yourself logging into your password store all the time. For this reason, I’ve found it helpful to have a long password that’s actually a sentence composed of many words. For example:
My dog is a poodle and has a name of spot
Easy to for me to remember, but hard for a hacker’s script to guess.
Because it’s easy for me to remember, I don’t need to write it down anywhere on my phone or laptop.
Your master passphrase should focus on one concept
If you talk to your techie friends, they might point out the geek-famous correct horse battery staple comic that’s been influential among security folks.
My only gripe with pass phrases like “correct horse battery staple” is that they’re hard to remember. What the heck is a battery staple, and why am I talking to a horse?
Instead, I find it easier to zero in on one concept — like a pet, or friend, or city — and make a short description of it your passphrase. Like this:
i nearly froze my ears off one january in chicago
my best friends mom taught philosophy in arizona
… you get the point.
I keep them lowercase to make typing easier. I leave out the apostrophe in friend’s, since they can cause issues in apps.
You can skip the spaces if you like, or if the app you use for your password store doesn’t accept spaces.
The cool thing is that these phrases are really long — over 40 characters — which takes today’s computer’s over trillions of years to guess.
Use Spotlight when typing out your master passphrase
On the Mac there’s a feature called Spotlight. You can quickly bring it up by typing command-space:
You can use Spotlight to type out your long master passphrase in plain letters (not asterisks) to ensure that you’ve spelled it right.
Then, use your command-a/command-c technique to reliably select and copy the entire phrase:
From here, you can paste the long phrase into your login for whatever you use to store your passwords — Evernote, Google Sheets, etc. — using command-v.
Sounds complicated, but once you build the muscle memory, it’s quick.
I haven’t tried any of these, but here are some rough equivalents for Spotlight than run on Windows. Just make sure they don’t present your master password through any kind of saved history.
Don’t get locked out of your password store
Now what I become unconscious (or worse) and my loved ones need to access my accounts?
For this scenario, I write out — when pen and paper, completely analog— my password store’s password on a piece of paper. It’s hidden in my home, somewhere safe, where some trusted contacts know where to find it.
Whatever you do, don’t use a printer to print out this password. You don’t want it ever being typed into a computer.
I know someone who once wrote all their passwords on a single index card. This got messy and unreadable as the number of passwords grew, and changed over time.
Instead, have one Evernote record, or Google Sheets row, per website and person. For example, I have separate notes for my DMV account and for my kids.
For each password note, I write the date of when I created the password. Some websites will occasionally expire passwords on their own, and it’s helpful to know if a password is old or not.
Secure, unique phone PIN
Since your phone will have all your passwords in your Evernote, Google Sheets, Notion, or some other app, put a strong PIN (7–8 characters) on your phone.
This way, if someone steals your phone, it will be hard for them to guess your PIN before they’re locked out after too many incorrect guesses.
Of course, this PIN should be unique to your phone and not the same as any of your passwords.
And, turn on FaceID or TouchID, if your phone has one of them.
Secure, unique laptop password
Put a semi-strong, unique password on your laptop. I use 1password generator to create a three-word password. Easy enough to type frequently, but hard for a hacker to guess if they steal your laptop, without eventually getting locked out from too many incorrect attempts. Here’s what that looks like:
Extra credit: password manager
A password manager, like 1password password manager, can be a handy way to store passwords securely and make it quicker to log into websites with long, unique passwords for each account that you have.
Note that the 1password password manager is different from the 1password password generator that I’ve been describing above. The generator simply creates strong passwords. The manager stores those passwords and fills them into websites for you.
In my experiences in helping friends set up password managers, they are challenging to get used to. As in, spend an hour-long zoom session in helping them get things set up.
Put another way: password managers are useful tools — but like any tool, they require time to learn. What I’ve found is that it’s exhausting for non-technical users to get the hang of setting up strong, unique passwords and 2-factor authentication with text messages. Once they’ve done that, they often don’t have the patience to set up a password manager.
Complicating things further is the fact that Apple has its own password manager that works on iPhones, iPads, and Safari browsers running on Macs. But it doesn’t work on other Mac browsers. Google has a password manager that works on Chrome browser, but not elsewhere. This can lead to multiple popup windows on a web form, as different password managers vie for your attention. Very confusing, as you can see from the example below:
This is a horrible user interface. Clearly, as an industry, we have work to do to make password managers less confusing.
In summary: if you write down the passwords in a well-secured place, as described above, and use 2-factor authentication, you’ll have taken a huge step forward in your password security.
Extra credit: Google Authenticator
If you’re feeling adventurous, install Google Authenticator on your phone, and use it on sites that support it. Especially your Google accounts, and especially if you use Google Sheets to store your passwords.
Google Authenticator is more secure using text messages. But if you can’t get it to work, understand that text messages are pretty good, and a LOT better than a password by itself.
Here’s how to use Google Authenticator to secure your Gmail (and thus your Google account and Google Sheets):
Hope this helps. It’s a long post, but that’s because it’s an incredibly important topic. Again, we’re talking about your life savings, credit history, and other important aspects of your personal finances.
Thanks for reading to the end. Let me know if you have any questions!
Note to techies
You’ll notice I didn’t dive into discussions of combinatorics, SMS hijacking, encryption at rest, or quantum cracking. The goal here is to give non-technical folks a set of steps and principles that are hopefully easy-to-follow and improves their security posture.
With that in mind, how would you improve this post for non-techies? Let me know via a comment or email to alsargent at gmail.