Earlier today, eBay issued a press release letting users know that a cyberattack "compromised a database containing encrypted passwords and other non-financial data." Users will be asked to change their passwords just in case, though they noted that eBay "has seen no indication of increased fraudulent account activity." This is sadly just one of many attacks recently, and something that won't be going away anytime soon, if ever.

Attacks like this are nothing new, over the years plenty of big-name sites have become victim to similar cyberattacks. Retial chain Target has been all over the news lately, and there's also vulnerabilities like the recent Heartbleed Bug that affected Google, Facebook, Yahoo and dozens of other sites.

As we go further and further, putting more and more of our personal information and lives online, it's even more important to keep that data safe. Your personal life (and data) is strewn out across the web in more places than you really know, so keeping what you can private and safe is more important now than ever before. At Mobile Nations we've always been big on security and keeping yourself protected online, but what are you really doing to make that happen?

Hack me once, shame on me

I was never big on passwords. In fact, the two passwords I used for everything were ones that were given to me by my original ISP nearly 20 years ago. I memorized them at the time and since they were a random jumble of letters and numbers, didn't give much thought to using anything else for any site. These were my go-to passwords, one I used more than the other, but I never considered just how bad of a practice this was until the day I almost lost my Gmail account.

A few years back I woke up to a slew of password verification notes from Google, and I instantly dove into a panic. I scrambled to login to my account with no luck. After a few hours of work, I managed to reclaim my account. I noticed that all of my account info was changed by the hacker, and the sent spam messages that numbered in the hundreds. I then realized that if finding my password here was this easy, I was extremely lucky it wasn't taken to the number of other sites that all shared the same password.

It was then that I started using a password manager and spent the next few days making sure my passwords were different across all of the sites I frequented. I only had to remember my master password, which I made so long it took me over a week to memorize. Since then I've had no issues with hacking and I've been sleeping soundly know that my online life is (mostly) safe.

Two-factor Authentication

Recently I've even taken things a step further by enabling two-factor authentication (or two-factor verification) where available. I use this now across all of my Google accounts as well as other services like Facebook, Twitter and Dropbox. Two-factor authentication adds an extra layer of security to your accounts, requiring you to enter a code provided either in an app (like Google Authenticator) or as a text message. The ensures that only you can get into the account, even if someone has your password.

Password Managers

The best bet for keeping your passwords secure, while also keeping them organized, is a good password manager. There are a few options available depending on your platform, but all are great choices and offer values far beyond writing all of your passwords down in a "safe place".

Strong Passwords!

If you're not up to using two-factor authentication or a password manager — at least use a strong password. Mix up numbers, lowercase letters, capital letters and special characters. The longer the better. And never use the same password twice. If a hacker does track down your password, the last thing you want is for them to have access to all of your accounts, just because you used the same password across the board. Stay clear of using passwords like your kids name, birthday, anniversary, "1234567", or the ever popular, "password". Apps like LastPass even offer a secure password generator so you don't have to do any thinking on the matter.

Are you using a password manager to cover your bases? What are some of your favorite tips for staying secure? Hit up the comments and let us know!

 

Reader comments

Using strong passwords and keeping your online self secure

47 Comments

Best way is Two-factor Authentication. If they steal your password manager, you will be in a big trouble.. So this is not an option for me.

Problem is not all sites offer two-factor authentication (I use it whenever possible). I also use lastpass because it's a password management that offers two-factor authentication as well.

You overlooked the most obvious password manager, Chrome's password manager. It works on Anrdoid and iOS. If an app doesn't support OAUTH, I just look it up. I have been using it for over a year after the linkedIn hack. There are chrome extensions to force sites to remember my password. In the worse case, I just use a weak password, but it never comes to that when its a semi important website.

I wish it had an option to force a login authorization once before every session, like Firefox used to have. Every time you opened FF from scratch it'd ask for one master password before it'd let you use the saved passwords. I guess Chrome's manager works off the Google account tho, but it's also been proven to have some obvious vulnerabilities in the past, no clue how that's evolved.

See my comment below (half a dozen post threads down) for an alternative to a pw manager, easy method for remembering/sorta reusing passwords...

In truth, a password manager under a secure password/key isn't mathematically more risky than anything else, but psychologically it does seem like putting all your eggs in one basket.

Probably weaker against targeted/personal attacks too, though at that point I'm reminded of the xkcd comic:

http://xkcd.com/538/

Also, there's an argument to be made for a password manager with passwords that you don't know... Nobody can squeeze it out of your brain under duress since you don't know any of them! Unless they know you use a password manager and just ask for the password to that... :p There's ways around that too but then the whole system gets too cumbersome.

I've been using SplashID since my Palm Treo days, and recently updated to SplashID Safe. It's not perfect, but damn close. I'm surprised to see that it doesn't get mentioned like the others.

I was an avid fan and user of SplashID when I had my iPhone, and used it at first when I graduated to Android about 4 years ago. I was surprised though, how woefully behind it was, from the iPhone version, and I got totally disenchanted when they went over a year without any significant updates, despite obvious flaws and shortcomings at that time.

I finally gave up and switched over to mSecure, and have been quite happy with it, and now with it and Lastpass. It could be that SplashID has been radically improved since that time, but I haven't followed it since my switchover.

SplashID has definitely gotten better, and recently too. The cloud sync option is heaven compared to what it was a year ago. "I'd give it 5 stars Alex if I could preset password length and complexity." Now it's seamless. Add a new entry on my phone, and updated on every SplashID system I have (4 instances). That doesn't stop me from looking for something better, but thus far, I haven't found it.

I'm glad to hear that the app has been substantially improved in recent times. I have no idea why they ignored timely updates early in the Android cycle, but that is apparently behind them.

There's actually a simple way to reuse one or two main passwords without much danger... First, pick a nonsensical password, helps make your scheme less obvious. Let's say your base password is t00dles, but you obviously shouldn't reuse it...
.
So instead, add the first three letters of the service/app where you're using, say it's gonna be your Facebook password, you'd use t00dlesfac or t00dlesook. If you wanted to mask it even better you can intertwine them and/or insert those three letters backwards, t00dlCeAsF for instance.
.
It might sound slightly complicated to some but it's a really easy system to implement in practice... Just make sure you have a mobile keyboard with easy access to arrows if you're gonna intertwine letters, makes it much easier to type. To some it might sound way too obvious but it really isn't.
.
Whether it's a machine or a human looking at a long list of stolen passwords, they'd be hard pressed to make any connections even if happened upon two distinct instances of your password (like t00dlceasf & t00dloeosg for FB & Google). If you were being targeted specificity it might be another story but all bets are off then.
.
It's a really easy scheme to implement/use, you can have two base passwords as an extra layer, some might find it easier or more reassuring than a password manager that keeps all your eggs in one basket (tho mathematically neither poses more of a risk). Might wanna capitalize the first letter too so you're covered for sites that require one capitalization plus one number.
.
The key (no pun intended) is to be consistent, if you're consistent then you'll easily remember your system and the distinct password for everything you use. Might take you two tries at worst if you use two base passwords.

There's also the school of thought that thinks gibberish passwords are really no more secure than something like AndroidCentralthebestvisitdailyhopingforMotowatchnews. A computer would have a harder time cracking that than wf€h2ufg&46m...

Of course, even if it's easier to remember the former might not be accepted everywhere due to the obtuse password length and content requirements we've adopted over time... We've actually forced people to use easier to crack passwords. ;p

Reuse and straight up theft pose bigger dangers tho and a long & easy to remember sequence doesn't help much with either.

The argument with this is if you create an algorithm, a computer can do the same. So once one password is compromised, your formula is broken. Now, the likelihood of that being an issue? Probably slim.

But the bigger issue I had with this method (I used to do this), the sometimes ridiculously short max lengths or inability to handle special characters. I end up needing to remember a few more combinations.

Yeah, a computer (or even anyone that's taken high school math) could crack the system if they've found a few instances of it and/or they're focusing their efforts on you... And it isn't unheard of, that first hand journalist account of Amazon/Apple password hacks a few years back was all born out of some kids wanting his Twitter handle (it wasn't really a hack either and the whole thing came down to bad customer identification policies by a live human service rep).

Like you said tho, chances of that are slim and you can still have an extra layer of security on your main accounts thru two factor authentication. I use two base passwords that are between 6 and 9 characters, so the total password is usually a few characters longer. Haven't had much issue with length save for sites/services that ask for 4 character PINs and that kinda thing. I didn't start with a capital letter initially and that has been the only thing that occasionally trips me up.

As with any system, there are downsides and upsides, none is perfect. I haven't run across oddball requirements besides numbers/capitalizing too often but I know it does happen (a bank might require a #, capital letter, AND symbol for instance, while others might not take symbols). What cha using now btw? I started using this scheme early on when password managers on mobile were quite clunky and didn't auto fill in etc.

The one other flaw in this system is when you feel/need to change passwords, that's why it's a good idea to have two base passwords but even that is not enough in the long run. That's been my only issue so far after a few years, I'm debating whether to add a third base password (and eventually deprecate one, keeping it simple) or change up the way I intertwine (easier to do now but more confusing and less secure in the long run).

I finally broke down and started using LastPass 6 weeks ago. It was quite a chore. Besides securing passwords, I also closed down many online accounts I do not really use.

I know I should use 2-Factor, but right now it just seems like a chore to need my cell phone to log into a site. I would be into 2-factor with biometric integration, like a keyboard with a integrated fingerprint scanner.

Generally with 2-factor authentication, if it's on a machine you always use, you can set it so it's not required on that machine.

Yeah, it'll still ask you for a pin sent to your phone or app every X amount of months but you don't need to go for the phone at EVERY login... Heck on your home computer you can just save passwords as normal (just have a system/BIOS password).

That's the beauty of two factor authentication, after initial setup it's actually the most secure and seamless security measure you can take. Way more transparent to the user than a password manager and it's even useful in case of physical device theft, since you can (usually) revoke device rights from the service's site.

If your phone or laptop gets stolen you just logon elsewhere (using the emergency codes, secondary phone, or nothing at all if you're using a personal system that's already authenticated) and you revoke access to said device.

Two factor authentication should be the bare minimum anyone does, even if you're the sort that uses dumb passwords (or specially so), there's no reason not to do so. It's completely transparent in daily use so there's little downside usability wise, and it even protects you against device theft.

No you don't have to reach for the phone daily unless you use your password in public computers a lot (which is itself a huge risk) or you don't trust your own system/practices to save them on personal systems (tho it's unavoidable for many things like a Google account, sync services, etc, so you kinda have to get over that).

If you wanna use a password manager or a salting/recycling scheme like I described above even better, but two factor authentication is the best measure IMO... Unless you lose/toss your phone constantly, in which case you might be hopeless and/or too paranoid to need this. :p

Just decided to give LastPass a go, as was getting a real nightmare about remembering passwords and variants of them all. Is the mobile version worth having as well once the subscription kicks in?

It works pretty well on mobile now, since they got beyond using their own special browser, and are now able to interject into most other Android apps.

Say more. Isn't it a pain to pull out an NFC dongle from your pocket to log into stuff on your phone, or, worse, find yourself in a room far from your computer with your Yubikey plugged into the USB?

Posted via Android Central App on Nexus 4

I can't decide weather or not to use a password manager. I am a student at a university and I use different computers all over campus all the time. It just seems like a royal pain to use a password manager... I know I should use one so I am more secure, but it just seems like such a hassle. Anybody know of a good way to use a password manager in my situation?

If you have a network drive that you can access when logged into your university computer account, you can save a copy of your password manager application (many have a "portable" executable) and the password file in there, then just run it when you are logged into a computer. Or, save those on your phone, plug the phone into the computer to charge while you're working on the computer, and run the password manager app from the phone's memory as if it's a USB thumb drive while you're there working. You're less likely to leave your phone plugged in when you get up from the computer than you are to leave an actual thumb drive.

I wouldn't wanna be plugging anything with a master password file into dozens of public computers at a college campus tbh...

I don't know how other colleges manage their network, mine used to give you a login that loaded a fresh user account/profile off the server every time you logged into a computer... These profiles allowed you to save some files to it and whatnot but were scrubbed clean periodically, I'd assume they were scanned constantly for threats too since they lived on the servers but I don't know.

Despite that very controlled and temporary nature of the user space/profiles, systems often ended up with all sorta malware and virus. I brought more than a couple on my USB drives before I decided to create a dummy email account for nothing else than emailing myself school projects I'd work on at campus PCs.

Exposing a password bank to that kinda environment seems like inviting trouble, no matter how well encrypted/protected.

@SEAJeff I've thought about a portable, but sometimes I have to use a Mac (Boo!), which kind of kills the portable executable.

@Impulses I'm not so worried about that as all of the computers I use require me to log in and have deep freeze on them.

I think I'm just going to give LastPass a shot, even if it's a pain, it'll be more secure.

Last Pass is great. I use it with 2 factor authentication on my PC and pay for Premium so I can use the app on my phone. Only $12 per year. I change my passwords frequently and don't even know most of them

Posted via Android Central App

I'm partial to msecure because it can sync with my other devices, over Wi-Fi. No need to send my precious database of passwords to Dropbox or some "secure" out of my control server.

Would be better if it was open sourced though, I suppose, to be more satisfactorily secure!

This is a little OT but security related. I use a Pattern screen lock on my Android phone. Is there a setting\app\something that could detect when I'm at home using my location or when I'm connected to my home WiFi and automatically override the screen lock? I know it's easy enough to toggle on\off manually, but it's a useless security measure if you forget to turn it back on when leave home.

@Android Adenoid - Most of the Automation apps (Tasker etc) in conjunction with the Secure Settings plug in do that. I use Macrodroid + Secure Settings - set up so it activates wifi when in range of the cell towers my phone connects to at home, and then when wifi is connected to my home network it removes my Pin lock, and reinstates it when the wifi connections is lost.

There's lots of apps that do that, Moto phones have a setting for it out of the box (think it only works off BT tho, not Wi-Fi). Some apps required root access at one point, dunno if that was universal and/or due to an Android system change since I'm usually always rooted.

I'm very pro 'weak' passwords. As long as it's not too easy to guess for people from my real life social group it doesn't really matter how strong it is. A third person doesn't run a brute force attac against my password - he just steals it from the company's server or somewhere in between. And than it really makes no difference how strong my password is.

It's way more important not to use the same password for everything, especially for the mail account itself.

Posted via Android Central App

Unless you're a well known person you don't need to have 100% totally uncrackable security - you just need to set the bar high enough that an attacker will move on from you when they find they have to put loads of work in to crack your accounts. They will just move onto someone else if the obvious stuff fails.

You don't have to outrun the Lion - you just need to outrun the other people running from the Lion!

Have been using LastPass for a while now, it's both more secure (better passwords) and easier than remembering all the passwords :) Only password I now have to remember is my super long super secure lastpass password. Oh, and Gmail as well, just in case ;)

One app not mentioned is ewallet. I've used it for years and been very happy. It not only stores all my passwords but ID #s, accounts, medical cards, info about my parents I might need in an emergency etc. Anything I don't want prying eyes to see. It also has a desktop equivalent that I use just as much.

I am a bit partial for ENPASS PASSWORD MANAGER.
Its neat UI makes it really convenient. It is pocket friendly too with free desktop version and for mobile version, it just takes a small amount for a single time and gives life time license, so I am free from giving monthly and annual subscriptions .
Its very secure too, because it makes your data stored locally on your device .
I can say Enpass is pretty good. :)