Home

3. Passwords

BE SAFE

Get to know technology and find out how you can take steps to make your online experience a safer one. Here are some tips and ideas on how you can protect your privacy while browsing and communicating online.

3. Passwords

How many passwords do you have? How many times do you get asked for a password as you use different spaces on the internet - from email to social networking and all those cool tools you've signed up for that are internet-based?  Hopefully you get asked A LOT. And hopefully your browser doesn't know the answer.

One of the number one problems – and concerns – cited by women's rights activists in secure online communications workshops is that email and social networking accounts “get hacked”. There are many ways that people can gain access to our private accounts that never entail actual hacking, but one of the most common is our own poor password management.

What's the risk?
Good practices for keeping safe
Resources

 

What's the risk?

1) Poor password management

It's common to use the same password over and over again. After all, it's hard when you are facing that sign-up form to a new service to be creative and think up a new password. You start to do things like write them down, ask your browser to remember, use secret terms like “letmein” (the eighth most popular password in a 2011 study), or put them in a file on your computer cleverly labelled "passwords" or "the key to my heart".  Or on the post-it stuck right by the computer!

We frequently share our passwords with our friends and intimate partners, or choose passwords that are easy to guess or even publicly available, like the name of our partners, family members and pets, and their birthdays.

It's important to pay attention to keeping passwords safe - it's not just our privacy and security at risk - it is everyone we have contact with. Including our fellow activists and the women our organisations are trying to support. Information that could be fine for you to share in your culture and context may not be fine in others, including on religion, sexuality and political beliefs. A breached password is the first step to private information being leaked, and could harm you or people who are important to you.

2) Password hacking programmes

Poor passwords makes it easier for someone to gain unauthorised access into your account because they are  easy to guess or can be cracked using password hacking programmes freely available on the internet. 

For example, online programmes to retrieve Windows administrator passwords abound on the internet.  If a technician is undertaking computer maintenance for you or your organisation, she can access the contents of your computer by removing your harddrive and copying the files onto another computer. If this is done, the technician will not be prompted for your password as she bypasses using Windows completely.

Two types of password hacking programmes are most commonly employed to repeatedly and rapidly guess your password:  “dictionary attacks” test your password against entire dictionaries of words in several languages; “brute force” attacks test out all possible combinations of keyboard characters, numbers and punctuation.  You can make it much harder for these programmes to discover your passwords by using longer passwords and having more combinations of lower and upper case letters, numbersand punctuation.

The time it will take to discover your password depends on the hacking computer's processing speed. What might take a “normal” computer days or months would take seconds for a computer with very powerful processing speeds, such as one of Google's super computers.  An 8 all-lowercase character password can be hacked in less than a day by a regular computer, but if you replace two of the characters with one capital letter and one punctuation mark, it would take a regular computer a few months to crack it. Because of this and the fact that computer processing speeds are constantly improving (graphic cards now feature powerful processors for playing games, for example), it's important to be more conscious about creating longer and more complex passwords.

Once a hacker has one of your passwords, they will immediately try to gain access to other online spaces you use, and if you use the same password for different online spaces you will be extremely vulnerable to attack.

3) Spyware, keyloggers and sniffing

Spying programmes such as keyloggers are hidden programmes installed in a computer that can register every letter that is typed. Some also take screenshots to see what is being clicked. Although poor passwords are common, even an excellent password can be breached if our computers have spying programmes such as keyloggers installed by someone who has access to our computers, or in the computers that we are borrowing. It can be hard to know when a keylogger has been installed because they often hide under an innocent sounding name or file.

If we are using our computers on wireless networks – even ones that are password-protected – our information can be vulnerable to “sniffing”. Sniffing means that other computers connected to the same wireless network can examine our “traffic”: the websites that we visit, our chats, and in some cases even our passwords. For more information on how to avoid sniffing, visit the secure browsing section in Be Safe

4) Phishing

Sometimes we can be tricked into giving up our username and passwords by sites that look like our bank, social network, or bookstore services, but in fact, are simply clever imitations designed to instill confidence in the user that it's genuine. This is called phishing. Once you insert your login information on their fake site, an error message might appear and many of us would simply think that the site is simply temporarily down. However, our username and passwords would have already been recorded in the process. Most phishing happens directly in our email, where “support” services or “human resources” tell us they are updating their databases or warn of a possible fraud in your banking account so that you click directly on the website listed in the fake email. 

 

Good practices for keeping safe

1) Keep your password safe

The first level of password protection is actually keeping it to yourself.  Just as how we insist on best practices in our activism, we need to develop best practices around keeping the information on our computers safe and ourselves protected online. We need to be aware of people walking by or glancing over our shoulder when we enter our passwords, and note if there are any video cameras in cybercafes or workstations where we access the internet.

By taking the time to create a safe and secure space we really are respecting ourselves, our families, friends and colleagues. In personal relationships, privacy is an important part of respect and trust, and we should never be expected to share our passwords to prove trust, or expect others to share their passwords with us.

2) Change your passwords regularly

No doubt you've heard the following advice before, but it is very important to take seriously:

  •     don´t use the same password in more than one service
  •     never share  your passwords with anyone
  •     never write passwords  down
  •     DO change your passwords frequently - once a month.

If you have had to give someone your password for any reason, or think that it may have been seen, don't hesitate to change your password immediately. 

Changing passwords can derail password hacking programmes and block access already gained. Thinking up and remembering a few very secure passwords a month is a reasonable trade-off for your online safety. Managing passwords with a key safe such as Keepass in tandem with secure passphrases and passwords will fortify your safety immensely.

If you see ANY suspicious activity in an online service you should change your password immediately. Let's take your email as an example. If you see emails which you did not send in your outbox, contacts you don't recognise, receive alerts from friends that you are sending spam or virus, or notice the rearranging of  certain elements in your email environment  – immediately check your account settings. You will want to find out if your mail is being forwarded elsewhere, if the reference email for password resetting is indeed your own and if the password verification question or cell phone listed are also your own. Then change your password. You will also want to look at other elements in Be Safe, such as basic computer maintenance and secure browsing to make your computer more secure.

3) Password-protect your computer

Different operating systems such as Mac, Linux and Windows have different password requirements. For example Macintosh and Linux operating systems require an administrator password to install any programme.  With Windows, the administrator is the default account and does not require a password. You should create an administrator account and use it only for installing programmes. Create your own user account for all other computer activity. 

Activate password protection for your computer. If you leave your computer – even for just a moment to get coffee or go to the bathroom – make sure you “lock down” your computer, i.e. require that the password be keyed in before you can access it. This will make it more difficult for someone trying to install a keylogger programme on your computer physically. It also prevents someone from accessing and using accounts that you are logged into on your web browser, such as webmail or Twitter. Password protecting your computer is not sufficient protection, as we've seen above, but it is an important first step.

The password that gives you access to your computer is one of the few that you must always remember – and it must always be as secure as possible.

4) Basic computer maintenance

It's important to make sure your computer is virus- and spyware-free. Windows systems suffer more attacks and are more vulnerable than Macintosh and Linux operating systems.  Having good antivirus protection and a firewall is an important part of basic computer maintenance and will help guard against remote spying.

Keep your anti-virus programmes up to date with the latest virus definitions, and give them time to scan all your files on a daily basis. This goes for Mac and Linux, too. Even though these operating systems are less likely to face virus attacks, they can spread virus to other Windows users. 

Operating systems are constantly being improved by their developers as problems and weaknesses are discovered all the time.  Keep your operating systems up-to-date, too, especially if you are alerted of security patch installments.

5) Install a firewall

Firewalls are programmes that aims to prevent unauthorised access to or from a network that your computer is connected to, such as the internet.  Firewalls alert you if anything suspicious is trying to gain access to your computer through one of your computer ports. A port is a point of entry or exit from your computer, and each port has been programmed with a specific function – for example web browsers usually present information from websites to you via port 80. If something other than a web page asks for entry via port 80, the firewall will block the entry and ask if  the request should be allowed.  A firewall also controls the outgoing efforts of programmes on your computer to connect with the internet. This is usually known as a reverse firewall. If a programme is trying to connect to the internet and you have not requested it do so, a reverse firewall will raise the alert.  See the resources section for more information on firewalls.

6) Avoid being phished

Phishing ploys  look quite convincing – they will use logos of renowned companies and the link will appear to direct you to the company site. Always be dubious of email contact by different services you use such as your banks, social networking sites, or even your email provider – any space that normally requires you to login. If you hover your mouse over the link phishing messages provide you may see a slight variation on the address such as a slight change in the spelling of the name or a prefix.  Always examine a link with care before copy-pasting into your browser window to visit the site. Once the site loads, again check the site address in your navigation bar. While addressses can change, for example to include a prefix, the main address (ie: citibank.com

Never click on a link sent to you by email or in pop up window advertisements.  It's always better to copy the link and paste in a separate browser window so that visiting the link will not be associated with your email. 

7) Tips to build a more secure password

Here are some suggestions on how to build a more secure password that bear reminding:

a) Think passphrase instead of password. This is easier to remember and can help us interconnect important associations that only we know about. It is also usually much longer than a password, which can make it harder to crack.

b) Don't use dictionary words or proper names. As mentioned earlier, password hacking programmes include those that go through words in dictionaries - and in different languages, so substituting English words with other terms is not foolproof.

c) Don't use information that can be easily associated with you - birthdays, family names etc.

d) Build complex passwords that include characters, lower and upper case, numbers and punctuation points. If the service allows it, use spaces between the characters as well.

e) And the longer it is, the better. At least 10, 12 or even 20 characters.

You can also create complex and long passwords that are easy to remember from passphrases that are meaningful only to you. Here's a suggestion of how to go about this:

First:

  • select a line or title from your favorite poem or song
  • remember your favorite protest march sign or rallying cry
  • open a book and select a passage at random, or grab a preferred quote
  • remember back to your favorite things at a certain age: music, sports, food, a toy

Next:

  • Build a password by selecting letters from each word in your passphrase.
  • Develop your own personal code or policy for making passwords. Your code might tell you which letter in each word of the phrase will be used, ie the first letter of every word, the last? You might always choose to capitalise the first and last letters in the passphrase.Your personal code could dictate which numbers and punctuation marks will always replace certain characters. For example, choose to replace all "i"s with the number 3. Or capitalise every 4th character because 4 is your favorite number.
  • You can apply these same substitutions in different passwords. This way, it's easy to change your passphrase frequently, but keep applying your own secret code policy to create your password from the passphrase.

For example:

“Feminism is the radical notion that women are people!” becomes: F3&rn&wap!

The personal “code” applied here:

  • use the first letter of every word and any punctuation to build the password
  • capitalise the first letter
  • substitute "i" with the number 3
  • substitute “t” with &

Ensure that the resulting password is at least 10 characters long.

Every month you can have fun thinking up interesting passphrases and renew your password at the same time.

8) Use encrypted password managers

Some web browsers like Explorer and Firefox have a function of remembering your passwords for you. You may be tempted to use this as a convenient way to manage your passwords to many different accounts that your regularly use. However, this is very insecure for several reasons. The most basic being, anyone who has access to your computer - for example, when you leave it logged on while you take a coffee break, or when it is stolen - is able to gain access to all your online accounts and spaces easily. The database that contains all of your passwords  stored in your computer is also accessible to anyone who has logged into your computer using the administrative account.

Instead, consider using an password managers with strong encryption, like Keepass. You may lose some of the convenience of your passwords being filled-in automatically, but it is a much safer way to store and manage your passwords. See resources & tools for more information about Keepass and how to use it.
 

Resources & tools

a) Keepass

Keepass (http://keepass.info/) is a safe place to store your passwords. It is free and open source software*, developed by a community of technical experts. It creates an encrypted file that helps you manage your online and offline passwords and other vital information.  Keepass can even generate very long, secure passwords for you so you don't have to puzzle over creating a secure one of your own.  Keepass passwords are too complex for anyone to remember – you simply copy and paste them and never have to remember them at all.  Ironically, the most secure password is the one you can't remember.

Keepass also produces a password database but it is strongly encrypted, which means that the information you input into the database has been disguised or “ciphered” so that it is no longer plain text. In the above indications for making a more secure password, you developed your personal cipher or policy for disguising your passwords. In the case of encryption, computer programmes have several layers of cyphers that can only be cracked by computers running a dedicated attack over years of time.  This is a lot more secure than, for example,  the plain text file with all your passwords that you may have created for quick reference on your cell phone.

The Keepass programme or variations of it can be installed directly on your Windows, Mac or Linux computer, or you can use a portable application version and run it from your USB memory stick if the computer you are using does not allow you to install programmes. There are also versions for different cell phone models.

You can store your encrypted Keepass database of passwords online, on your desktop, on a USB memory stick - so that you can always use it instead of having to gingerly pull out that worn sheet of passwords from your wallet.

Of course, another password you  won't ever want to forget is the one that opens up your Keepass database. When you create your master password, create a difficult one based on the suggestions above.  Keepass lets you use spaces in your master password too, so take advantage to write an entire sentence or quote as your password.

You can download Keepass here: http://keepass.info/download.html
A first-steps tutorial is available here: http://keepass.info/help/base/firststeps.html

*What is free and open source software?
Free and open source software (FOSS) is available for everyone to inspect and explore, including the software “source code”, which is the programming language and key to how the programme works.  Many consider free and open source software more secure precisely because it is subject to many eyes and testing by skilled technicians who can verify that the software is only doing what it claims to do.  With software registered under a proprietary licence, only the company developers can see and understand the source code. There are many excellent free and open source software solutions that we can use on our computers no matter what our operating system is, Macintosh or Windows. The Linux operating system is open source.

Additional tips for using Keepass

Wait to use the extra-secure associated file option: In the first-steps tutorial example you only use a passphrase to create your password database. There is an option to also associate a file to the passphrase for added security. It's important to realise that if you ever lose access to an associated file, you cannot open your password database. Therefore, especially for beginning users, you might not want to activate that option.

Start by using your existing passwords: although ultimately you will be much more secure if you take advantage of Keepass' ability to generate random passwords for all of your online services, we highly recommend you try out Keepass by inputting your own passwords for each service first. This way if you forget your master password or have new-user difficulties, you will not be locked out of all your password-protected spaces. Once you are comfortable with the interface and able to quickly connect to your different services and copy-paste your passwords, then begin changing each service' password for a Keepass-generated one.

Saving your database: you can save your Keepass database anywhere, but try to use an inconspicuous name, and you may want to change the typical .kdb extension so that the file is not automatically associated with the Keepass programme. You can just change the extension back when you want to access the file. You can save your database on a USB or other mobile device such as a camera or cell phone.  You can also store it online – it's encrypted so it won't be transparent to read like a text file listing of passwords. To open it, you will need the Keepass programme and your passphrase. Keepass itself is a small enough programme to also save on your USB.  Keepass is also available as part of the portable applications suite, highly recommended to avoid storing any private information on computers you do not trust.

 
Additional resources

Frontline Defenders and Tactical Tech developed the Security-in-a-Box series for human rights defenders and organisations.  It is a comprehensive guide to many secure online communications tools.

Tactical Tech's Ono the Robot has a series of animated videos to help understand risks and solutions for "survival in a digital age".

Further password tips for managing multiple scenarios, from Tactical Tech.