As our lives become more and more digitized, we share more and more personal data online, which hides/carries the potential risk of all this information not being treated safely.
Almost each service provided through the web usually requires some sort of authentication - you need to have a user account which contains at least a name, email, sometimes even your address, phone number, and additional data.
Why does Internet privacy matter?
While we could use the Internet for trivial tasks like online shopping or ordering a pizza, having access to sensible information like online banking or corporate internal information brings much more responsibility.
Each device or account on the Web can be targeted by cyber criminals. Hackers don’t narrow their attacks to business companies, big data processors, or government institutions. Most attacks nowadays aren't hand-picked. Hackers just collect vast amounts of data which they resell on black markets, or use for some money-generating scheme.
On top of that, some online accounts contain very sensible information such as bank details, payment information, or security codes. This information must be protected with upmost scrutiny. Unfortunately, not all providers do their best when protecting their users' data. You rarely have control over this, but you have control over your side - your computing devices and your passwords.
How to secure your data?
Here are the generic guidelines and recommendations to protect yourself from hackers:
- Keep your software up to date with the latest security patches installed.
- Never install any pirated applications.
- Never click on spam emails. Here is a very common spam/scam message, which aims to scare people into paying a ransom without any actual reason.
- Use a popular antivirus program and/or firewall.
- Look for the green padlock in the address bar for websites where you are asked for credit card details - this ensures that the connection to the web server is encrypted and entered data cannot be obtained by third parties.
- Use two-factor authentication.
While these may sound worn-out and dull, they are the basics of personal online security.
How to create a strong password?
Nowadays, there are lots of authentication methods, security software packages, etc., but in the end, the final step in protecting your account usually boils down to some login password. Choosing and protecting this password then may be the most important part of your online security checklist.
When choosing a password, you should avoid using:
• common passwords, such as the word "password" (in any language), "abc123", "letmein" and "newpass" or a dictionary word;
• passwords that you have used elsewhere.
• passwords similar to the username.
• passwords based on personal information that can be obtained via social engineering tactics;
• passwords based on a word with some letters replaced by similar-looking symbols; for example: p@ssw0rd, 1l0v3y0u; this is quite a common practice, and the hackers are well aware of it;
• a simple word or phrase, combined with the current or a recent year; for example: 2014pass; new2015.
Be sure not to share your password with anyone. Sending login credentials via e-mail, or an instant messenger that does not encrypt the data, is considered unsafe.
A popular option is to use randomly-generated passwords, and store them in some password-manager software. But again, this password manager software needs to be protected by a final password (sometimes you get additional authentication/verification options, which improve this protection method immensely, like a third-party signing USB key for example).
Our Control Panel has an automated password generator available. It can be found in each interface where a new user/mailbox/account can be created. It has three modes - Random, Pronounceable, and Passphrase. All of them can generate strings from 10 to 64 characters.
You may have already heard the recommendations above. This is no wonder, these bullet points have been common knowledge across the IT scene for a long time. This, however, doesn't make them outdated or obsolete. They are still good and solid advice.
Even good things need revisions, however, and indeed, the most recent guidelines by NIST (National Institute for Standards and Technology) about how to secure users’ passwords deny some of the best practices we have been used to.
- NIST recommends using passphrases rather than complex passwords. Passphrases are longer and easier to be remembered by users, who make associations which are unique to them.
- Regular password changes are also not recommended any more, unless there is evidence of a security breach in services like https://haveibeenpwned.com/.
When users are confronted with a password change prompt when they just want to finish a job, they don't go all out on choosing the next best password. No, it turns out that most users simply add some number/character at the end of their password, or simply use an older password (which may even be weaker than the one they are changing!). In the end, it turns out that we cannot overcome human nature with rules. Go figure.