Thursday, October 27, 2016

Some thoughts on passwords, and online security in general

It is increasingly impossible to stay without going online for every requirement of ours, and it is increasingly scary how our life resides online. The key to this whole online life of ours is in our passwords, which reside in various places online, and are vulnerable to cyber attacks. So how do we protect ourselves?


Let us start with our main email account. This may seem innocuous – so what's the big deal if the password is compromised? – but this account, remember, is where all password reset links will be sent to, if you say 'forgot password'. Hackers, once they get access to your main email account, use this to reset all passwords. If your main email account is gmail, then secure it with a two-factor authentication. Every time you access it from a different machine which is not your usual one, it sends a code to your mobile which has to be entered. In fact, there is an app which generates this on your mobile. Also, there are back-up codes which you can note down somewhere for the times when you need to access your gmail and don't have your mobile with you, or the charge on your mobile has drained.


Now on to passwords in general, for all kinds of access on the net. We think we are being very clever when we put in our birthdays or name followed by 99, or some such pnemonic based password. When 9/11 happened, a lot of accounts of the employees who died there were immediately inaccessible since no one knew the passwords, putting the employers in a fix; however it was possible for experts to piece together their passwords through trial and error in most cases.


Birthdays, birth years, children's names, names followed by 99 etc., are strict no-no's for passwords. Dictionary words are to be avoided too, since it is possible to reverse-engineer to find the password in case of dictionary words. The longer the password and the more nonsensical it is, the more difficult it is to crack. Also, most websites insist that the password should have the following: (a) minimum 8 characters (b) maximum 16 or some such characters (c) a mix of small letters, capitals, and at least one 'special' character (d) no space or dot, sometimes (e) you need to change the password every three months or so!


Given that you have at least a dozen websites for which you need to remember passwords, how do you remember them? One of the best ways is to have an algorithm for generating your own password which is derived from a sentence that you can remember. For example you can start with the sentence:

(1)  "My ICICI account is my main account since 2010". You can even note this sentence in your wallet where it is easily accessible.

(2)  Take the first letter each word in the above: miaimmas2

(3)  Make the "third letter" capital: miAimmas2

(4)  After the third letter add a '^': miA^mmas2. Use this as your password.


Use a different password for each of your bank accounts; and don't use these passwords for non-banking sites.


While entering the password, especially if you are not on your own machine, it is good to use the virtual keyboard. This is to prevent a keystroke-reading cookie from getting at it. Talking of machines, it is necessary to have a good anti-virus software loaded on your machine and to keep the licence up-to-date.


All websites have a 'forgot password' option which enables you to reset the password from the backup email id. We have already discussed that this email id needs to have two-factor authentication.  There is also a set of questions along with their answers which is stored for this purpose – things like 'what is your mother's name', or 'which school did you first attend' – in these days of social media where nothing is private anymore, it is good to remember a standard set of fictitious answers to these questions, and to use those answers to these stock questions.


Never access sensitive accounts like bank accounts from machines that are not your own. Also, never through a wifi in a public place like a coffee shop. It is very easy for hackers to intercept all your actions in these places. Also, sites which require high security like bank accounts, always start with an 'htpps' rather than the usual 'http'. Check if this is the case. Never follow a link to access any site. Please type the whole address yourself. You sometimes are fooled by following links to sites with deceptively similar spellings.


Keep changing your passwords every few months at the very least.


Now on to debit cards, credit cards, etc.


All card numbers and their associated codes are at risk of being compromised at any time. Hence the following precautions would be good to take.


Keep a sensible credit limit on your credit card, only to the extent required. It is not a requirement for your status that you have a high credit limit. This naturally limits your liability in case of loss.


Keep a limited amount in your account that you access through your debit card; keep the rest in another account, and keep transferring amounts to the card account as and when required. As for the real account where you keep your real money, tear up the card, resolve only to use online transfers for withdrawing from that account.


Most cards have a daily limit for purchases and withdrawal from atm's. Review the limit; however, if you have followed the previous step, it may not be necessary to do that.


Convert all your cards to chip-based cards which are more difficult to duplicate. Keep an eye on your card while using it for payments, and don't just hand it over like we usually do at restaurants.


While using the card at an atm, especially in a foreign country or in a tourist location, be extra careful. It is always good to cover your hand with the other hand, while entering the pin at the atm.


Keep changing your pin often.


Keep your mobile password-protected, and make sure that sms's that come are not visible as a notification if the phone is locked. A lot of online transactions use two-factor authentication through mobile nowadays.


In India, two-factor authentication is mandatory for online payments; this is not the case abroad. Be very careful while using your card abroad. You can either use a separate card; or keep a limited amount in the account, and keep transferring to the main account as and when the balance goes down.


For online transactions, it is possible to get a temporary limit with a credit card number for one-time use. Your bank should be having this facility. Use this for sites which you are not sure of; it is too impractical to adopt this approach for all normal transactions.


Reduce the number of times you have to enter card details online by shifting to a payment app like Paytm for routine payments. It has the added advantage of added convenience.


Keep changing your cards once in a while. The bank does charge a nominal fee for this, but it is worth it.


And lastly, always be paranoid when it comes to passwords and security. It is not a question of 'if', it is only a question of 'when' your passwords and codes will get compromised.

No comments: