A few years ago I had to hack a couple of family email accounts after the passwords were lost. It took a few weeks, but I finally guessed the password of one and the answer to the security question of the other, which enabled me to change the password and recover years of vacation photos.
This exercise showed me that when it comes to the security of online accounts, the biggest threats aren’t necessarily viruses and spyware, but poorly chosen passwords, user names and security questions that can make accounts crackable by familiar people—and hackable by bad guys using common software.
Retirees with limited tech-savvy can be especially vulnerable, putting them at risk as they increasingly handle their banking, credit-card and retirement accounts online, check their Social Security benefits, or access their health-care plans. According to the Pew Research Center, people age 70 to 75 had the largest percentage increase in Internet use in recent years. And regardless of their skill level, older users are likely to have more assets.
[Related: Dealing with Identity Theft]
But a few simple steps can reduce to almost zero one’s chances of being hacked, and reduce the frustration and time it takes to juggle multiple passwords for dozens of accounts. Here are some tips.
Start by setting up a user name that is difficult to guess. Most people use their own name, which means that anyone from your mother to a Ukrainian mobster can log on to the Fidelity or Chase website and enter your name, and then attempt to crack your password (see below).
Don’t let bad guys get to first base. Use an alias. After all, Citibank doesn’t care if your user name is Joe Jones, Whatsamata U or RomeoXOXO.
Next, build a password with at least 10 digits. This isn’t as hard as it seems.
Begin by selecting a phrase from a poem, scripture, lyric or advertising jingle, and create a word using the first letter of each word. For your Wells Fargo account, it might be: IAWL (“It’s a Wonderful Life”).
Then capitalize every other letter, and add a special character ($, # / etc.), followed by your ZIP Code: IaWl@10036. Once you get the hang of it, it’s simple. MiTrOaE$$10005 (“Money is the root of all evil”).
You also could set up a password using your favorite section of the tax code, say, 411(b)(1)(H), which already sounds like gobbledygook you made up on purpose, or a Bible citation, such as “1Timothy_6:10,” or “Job22:7.” Go wild.
For added security, make up a phrase and a number (“My mother is from Missoula”) + (your height and age) = MmIfM%51170.
Avoid using actual words, because password-cracking software can run through the entire dictionary in less than a minute. That is advice most people ignore, including many of the 6.5 million LinkedIn users whose user names and passwords were stolen earlier this month and posted on a black-market website.
At www.leakedin.org, which was formed to help people whose information was stolen, you can type in various passwords to see if they were compromised. I entered a handful of potential passwords I made up on the spot, including Bullwinkle, julesverne, harrypotter, georgewbush, Django, pa$$w0rd and thisandthat. All turned out to be actual LinkedIn passwords that had been leaked and cracked. Surprisingly, no one was using 2BorNot2B.
[Related: If You’re Using ‘Password1,’ Change It. Now.]
Using Your Passwords
You don’t need dozens of passwords. Create at least five, and use the most complex for sensitive accounts such as email, Facebook and TurboTax. Use a different password for online retailers or airline awards programs, and another for utilities, such as your cellphone and cable providers.
Have a fourth password for less sensitive sites, such as Pinterest or Netflix, and a throwaway password for sites you visit once, such as a news site that requires you to set up an account to access an article.
Ideally, you should have a different user name and password for each site, but that is a tall order in real life. If you want to go this route, use a password manager program, such as SplashID.
If you write your passwords down, don’t disclose the root “word,” but instead use a hint. If your phrase is “Round up the usual suspects” (RuTuS), the hint might be “Casablanca.” And don’t write down all the numbers, either. The crib sheet for your TD Ameritrade password, RuTuS//10036, would thus be: Casablanca//1****6.
Although intended to increase the security of your accounts, security questions can actually make them easier to crack. These are the questions you must answer if you have forgotten your password and want to reset it.
Unfortunately, the questions can be easy to guess. Someone who knows your mother’s maiden name, your city of birth, your favorite color or sports team might be able to reset your password and gain access to your account.
I managed to crack the family Yahoo account by guessing the answer to the security question, chosen by the person who originally set up the account, which was “What was your high school mascot?” (Purple haze).
If the security questions are all as pitiful as the ones above, add a prefix or suffix to thwart hack attacks. “Name of your first pet?” Answer: Mr. PicklesXYZ.
Finally, make sure your wireless network at home also is protected by a strong password. If it isn’t, neighbors can use it to go online, or creeps (and at one point Google Street View cars) can intercept what you are doing on the Web.