{"id":4216,"date":"2018-01-18T22:19:03","date_gmt":"2018-01-19T04:19:03","guid":{"rendered":"https:\/\/justinparrtech.com\/JustinParr-Tech\/?p=4216"},"modified":"2018-01-18T22:19:03","modified_gmt":"2018-01-19T04:19:03","slug":"password-commandments","status":"publish","type":"post","link":"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/","title":{"rendered":"Password Commandments"},"content":{"rendered":"<p><strong>Thou shalt protect your data.<\/strong><\/p>\n<p>Passwords are the most versatile and effective way to protect your data, but most people break these simple rules.<\/p>\n<p>Using a weak or ineffective password strategy in an always-connected world means that your money, data, and identity are at risk.<\/p>\n<p><strong>Thou shalt follow these commandments in order to protect yourself, both online and offline.<\/strong><\/p>\n<p><!--more--><\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_81 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\"><p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<\/div><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#i-%e2%80%93-thou-shalt-not-use-biometrics-for-security\" >I &#8211; Thou Shalt Not Use Biometrics for Security<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#best-practices\" >Best Practices<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#ii-%e2%80%93-thou-shalt-log-in-to-your-computer\" >II &#8211; Thou Shalt Log In to Your Computer<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#best-practices-2\" >Best Practices<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#iii-%e2%80%93-thou-shalt-secure-your-smart-phone\" >III &#8211; Thou Shalt Secure Your Smart Phone<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#best-practices-3\" >Best Practices<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#iv-%e2%80%93-thou-shalt-construct-secure-pins-and-passwords\" >IV &#8211; Thou Shalt Construct Secure PINs and Passwords<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#hard-to-guess-easy-to-remember\" >Hard to Guess, Easy to Remember<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#avoid-dictionary-words-in-passwords\" >Avoid Dictionary Words in Passwords<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#avoid-dictionary-words-in-pins\" >Avoid Dictionary Words in PINs<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#avoid-too-much-733t-5p34k\" >Avoid Too Much 733T 5P34K<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#longer-passwords-are-more-secure-than-complex-ones\" >Longer Passwords are More Secure Than Complex Ones<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#use-text-icon-substitution\" >Use Text Icon Substitution<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#make-it-hard-to-crack\" >Make it Hard to Crack<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#how-to-construct-a-good-password\" >How to Construct a Good Password<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#how-to-derive-a-password\" >How to Derive a Password<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#how-to-construct-a-good-pin\" >How to Construct a Good PIN<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#deriving-a-shorter-pin\" >Deriving a Shorter PIN<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#deriving-a-longer-pin\" >Deriving a Longer PIN<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#v-%e2%80%93-thou-shalt-protect-your-identity\" >V &#8211; Thou Shalt Protect Your Identity<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#vi-%e2%80%93-thou-shalt-protect-your-e-mail\" >VI &#8211; Thou Shalt Protect Your E-Mail<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#i-%e2%80%93-thou-shalt-use-a-unique-password-for-e-mail\" >i &#8211; Thou Shalt Use a Unique Password for E-mail<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-23\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#ii-%e2%80%93-thou-shalt-use-a-strong-password-for-e-mail\" >ii &#8211; Thou Shalt Use a Strong Password for E-mail<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-24\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#iii-%e2%80%93-thou-shalt-use-a-secure-e-mail-platform\" >iii &#8211; Thou Shalt use a Secure E-mail Platform<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-25\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#side-quest-secure-messaging-through-encryption\" >Side Quest:\u00a0 Secure Messaging Through Encryption<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-26\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#iv-%e2%80%93-thou-shalt-not-use-your-isp-for-e-mail\" >iv &#8211; Thou Shalt Not Use Your ISP for E-mail<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-27\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#v-%e2%80%93-thou-shalt-change-your-e-mail-password\" >v &#8211; Thou Shalt Change Your E-mail Password<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-28\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#vi-%e2%80%93-thou-shalt-not-stay-signed-in-to-e-mail\" >vi &#8211; Thou Shalt Not Stay Signed In To E-mail<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-29\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#vii-%e2%80%93-thou-shalt-maintain-a-working-password-recovery-e-mail-and-phone-number\" >vii &#8211; Thou Shalt Maintain a Working Password Recovery E-mail and Phone Number<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-30\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#vii-%e2%80%93-thou-shalt-use-unique-user-names\" >VII &#8211; Thou Shalt Use Unique User Names<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-31\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#viii-%e2%80%93-thou-shalt-protect-your-finances\" >VIII &#8211; Thou Shalt Protect Your Finances<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-32\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#i-%e2%80%93-thou-shalt-use-separate-bank-accounts-for-receivables-and-payables\" >i &#8211; Thou Shalt Use Separate Bank Accounts for Receivables and Payables<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-33\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#ix-%e2%80%93-thou-shalt-not-stay-signed-in\" >IX &#8211; Thou Shalt Not Stay Signed In<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-34\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#x-%e2%80%93-thou-shalt-follow-a-risk-based-approach-for-passwords\" >X &#8211; Thou Shalt Follow a Risk-Based Approach for Passwords<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-35\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#conclusion\" >Conclusion<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-36\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#i-%e2%80%93-thou-shalt-not-use-biometric-security\" >I &#8211; Thou Shalt Not Use Biometric Security<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-37\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#ii-%e2%80%93-thou-shalt-log-in-to-your-computer-2\" >II &#8211; Thou Shalt Log In to Your Computer<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-38\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#iii-%e2%80%93-thou-shalt-secure-your-smart-phone-2\" >III &#8211; Thou Shalt Secure Your Smart Phone<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-39\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#iv-%e2%80%93-thou-shalt-construct-secure-pins-and-passwords-2\" >IV &#8211; Thou Shalt Construct Secure PINs and Passwords<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-40\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#v-%e2%80%93-thou-shalt-protect-your-identity-2\" >V &#8211; Thou Shalt Protect Your Identity<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-41\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#vi-%e2%80%93-thou-shalt-protect-your-e-mail-2\" >VI &#8211; Thou Shalt Protect Your E-Mail<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-42\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#vii-%e2%80%93-thou-shalt-use-unique-user-names-2\" >VII &#8211; Thou Shalt Use Unique User Names<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-43\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#viii-%e2%80%93-thou-shalt-protect-your-finances-2\" >VIII &#8211; Thou Shalt Protect Your Finances<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-44\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#ix-%e2%80%93-thou-shalt-not-stay-signed-in-2\" >IX &#8211; Thou Shalt Not Stay Signed In<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-45\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/password-commandments\/#x-%e2%80%93-thou-shalt-follow-a-risk-based-approach-for-passwords-2\" >X &#8211; Thou Shalt Follow a Risk-Based Approach for Passwords<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"i-%e2%80%93-thou-shalt-not-use-biometrics-for-security\"><\/span>I &#8211; Thou Shalt Not Use Biometrics for Security<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Biometrics sounds really cool and high-tech, but the reality is that every single biometric authentication system in existence today, and every single biometric authentication system that will ever be invented can easily be hacked.<\/p>\n<p>The concept behind biometric authentication is that &#8220;you&#8221; are your password.\u00a0 Since &#8220;you&#8221; are the &#8220;only you&#8221;, then &#8220;only you&#8221; can authenticate and gain access to biometrically-protected resources.<\/p>\n<p>In reality, everything about you, from your face to your fingerprint, and even your DNA can be copied.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>What is biometric authentication?<\/strong><\/p>\n<ul>\n<li>Retinal eye scan<\/li>\n<li>Finger print<\/li>\n<li>Palm print<\/li>\n<li>Facial recognition<\/li>\n<li>Gait recognition (how you walk)<\/li>\n<li>Ear profile<\/li>\n<li>Voice print<\/li>\n<li>DNA scan (theoretical)<\/li>\n<\/ul>\n<p><strong>Every single one of these security measures can be easily subverted, and in most cases, using common household items:<\/strong><\/p>\n<ul>\n<li>Retinal scans can be bypassed using the original eyeball or a high-resolution print of the original eyeball<\/li>\n<li>Finger print and palm scans can be bypassed using the original finger, or by using a combination of glue or silicone gel with a high-resolution print of the original fingerprint<\/li>\n<li>Facial recognition is the least secure, and can be bypassed using a photograph of the original face<\/li>\n<li>Gait recognition isn&#8217;t commonly used, and is considered &#8220;perfectly secure&#8221; at this point.\u00a0 It analyzes an individual&#8217;s walk, and how they carry themselves.\u00a0 However, as robotics become cheaper and more accessible, it&#8217;s easy to envision programming a cheap, portable robot to mimick someone&#8217;s walk, in order to bypass gait recognition.<\/li>\n<li>Everyone&#8217;s ears are unique.\u00a0 But you can take a picture of anyone&#8217;s ear, and then print that picture out in order to bypass an ear scan.<\/li>\n<li>Voice prints can be easily bypassed using a voice recorder<\/li>\n<li>Although DNA-based security is theoretical at this point, it&#8217;s easy to imagine the bad guy obtaining a DNA sample by one of several means<\/li>\n<li>Most biometric locks have a backup key or PIN.\u00a0 So if you use fingerprint locking or facial recognition, an attacker can simply bypass it, and attack the backup key or PIN instead.<\/li>\n<\/ul>\n<p><strong>Infamous biometric security failures:<\/strong><\/p>\n<ul>\n<li>A man in Singapore, in 2004, was car-jacked for his Mercedes.\u00a0 When the thieves found out that his car used fingerprint authentication, they cut off his finger!\u00a0 So instead of an insurance claim, he had an insurance claim, a hospital bill, and a finger that he will miss for the rest of his life.<\/li>\n<li>In 2006, the Mythbusters, Adam and Jamie, beat a (at the time) state-of-the-art fingerprint scanner by using a photographic etching process.\u00a0 Low-end fingerprint scanners can be defeated using a printed copy of a fingerprint.<\/li>\n<li>In 2017, the brand-new iPhone X introduced facial recognition.\u00a0 Shortly after its debut, a Youtube video surfaced, demonstrating that two different Asian women could unlock the same cell phone, and numerous hacks have subsequently been demonstrated.<\/li>\n<li>In most states, photo-radar and red-light cameras are illegal.\u00a0 To get around this, they are administered by an &#8220;independent agency&#8221; (read: private corporation) that pays a sworn officer to review the tapes and issue a &#8220;fine&#8221; (in the form of a bill) to the vehicle&#8217;s registered owner, and the government gets a kick-back.\u00a0 As so-called proof, they include a high-resolution photo of the driver, taken through the windshield.\u00a0 You want to run red lights on the way to work?\u00a0 Wear a Nic Cage mask, and tell them to send the bill to Nic Cage, to whom you &#8220;swear&#8221; you lent your car that morning.<\/li>\n<li>Every movie that depicts a retinal scanner also depicts the victim having their eye removed, most often post-mortem, so that the bad guy can gain access to the secure area.\u00a0 <a href=\"https:\/\/en.wikipedia.org\/wiki\/Demolition_Man_(film)\" target=\"_blank\" rel=\"noopener\">Demolition Man<\/a>, for instance.<\/li>\n<li>Most heist movies depict the protagonist surreptitiously obtaining the target&#8217;s fingerprint or voice password, and then using it to gain access to a vault or other secure area.<\/li>\n<\/ul>\n<p><strong>Despite its current popularity, biometric security is not secure.<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"best-practices\"><\/span>Best Practices<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li>Use a PIN or password instead of biometric security.\u00a0 Disable fingerprint locks and facial recognition.<\/li>\n<li>Use PhoneFactor (sends text to your cell phone) or USB key in conjunction with certificate PKI as a second authentication factor, in place of biometrics as a second factor.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"ii-%e2%80%93-thou-shalt-log-in-to-your-computer\"><\/span>II &#8211; Thou Shalt Log In to Your Computer<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Eventually, the popularity of Windows operating system will decline in favor of more secure operating systems such as Linux and ChromeOS.<\/p>\n<p>Until then, you probably run some version of Windows.<\/p>\n<p>The biggest security hole in Windows is that most computer vendors configure the operating system to log you in, without the need for a password.<\/p>\n<p>THIS IS BAD.<\/p>\n<p><strong>All security starts with physical security, and that means, making sure someone who has physical access to your computer can&#8217;t get to your stuff, or pretend to be you online.<\/strong><\/p>\n<p>Windows has the ability to create separate profiles for each user, and to enforce passwords.<\/p>\n<p>In Windows, Linux, and many other operating systems, the purpose of a profile is to allow each individual user to have their own settings, and to prevent other users of the same computer from accessing each others&#8217; data.\u00a0 Profiles also allow personalization so that each user sees their own customized desktop, their own bookmarks, and the like.<\/p>\n<p>Without a password, anyone who uses your computer &#8220;is you&#8221;, and has instant access to YOUR documents, YOUR internet history, and maybe even YOUR online accounts.\u00a0 Every time you click &#8220;keep me logged in&#8221;, that&#8217;s an opportunity for someone who IS NOT YOU to get access to YOUR STUFF, or to PRETEND TO BE YOU.<\/p>\n<p><strong>If someone logs in as you, they potentially have access to:<\/strong><\/p>\n<ul>\n<li>Your e-mail (see &#8220;Thou Shalt Protect Your E-Mail&#8221;, below)<\/li>\n<li>Your identity (see &#8220;Thou Shalt Protect Your Identity&#8221;, below), including date of birth, social security, and driver&#8217;s license number<\/li>\n<li>Your bank account, financial information, and tax records<\/li>\n<li>Ability to purchase using your online accounts<\/li>\n<li>Pictures of you, your family, and your friends, including potentially embarassing pictures<\/li>\n<li>Medical information<\/li>\n<li>Access to your social media (reputation)<\/li>\n<li>Your browser history, including any dirty little secrets.\u00a0 If you&#8217;re in to fetish porn, now is the time to panic!<\/li>\n<li>History of what you watch online, from such sources as Youtube, Netflix, Hulu, and Amazon Prime.\u00a0 Been watching skin flicks lately?\u00a0 I&#8217;m sure your girlfriend or wife will be interested.<\/li>\n<li>Search history.\u00a0 At first this doesn&#8217;t sound that bad, but what if you searched for something sensitive and private?<\/li>\n<li>Any illegal activity, such as downloading movies and games or dealing in contraband<\/li>\n<li>Install software, including malware, viruses, and spyware that could damage your computer, steal or erase your data, or provide the attacker with remote access later down the road.<\/li>\n<li>WiFi networks, including &#8220;secure&#8221; networks to which you might have connected.<\/li>\n<\/ul>\n<p><strong>So, basically, anyone who logs in as you could steal your identity, steal your money, destroy your reputation, blackmail you, get you fired, and maybe even get you arrested.<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"best-practices-2\"><\/span>Best Practices<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ol>\n<li><strong>Create a separate profile for each person (&#8220;user&#8221;).<\/strong>\u00a0 <strong>Even your wife, kids and friends.<\/strong>\u00a0 This ensures that your personal and private information remains personal and private.<\/li>\n<li><strong>Turn on password enforcement.<\/strong>\u00a0 Make sure that every profile has a password, so that everyone who uses the computer is protected.<\/li>\n<li><strong>Set a secure password for your profile.<\/strong>\u00a0 (See &#8220;Thou Shalt Create Secure Passwords&#8221; below).<\/li>\n<li><strong>Set a screen lock timeout<\/strong>.\u00a0 Whether you use a screensaver or not, make sure that your profile is configured to lock after 60 minutes of inactivity, and requires a password to unlock.<\/li>\n<li><strong>Enable or create a &#8220;guest&#8221; profile.<\/strong>\u00a0 If someone asks to use your computer, click &#8220;switch users&#8221;, and they can log in as guest.\u00a0 You&#8217;re not being a jerk, you&#8217;re simply setting boundaries.\u00a0 The guest profile should have limited permissions, so that it can&#8217;t access shared documents, can&#8217;t reconfigure the system, and can&#8217;t install software.\u00a0 Windows has a &#8220;guest&#8221; account defined by default, but it usually must be manually enabled.<\/li>\n<li><strong>Don&#8217;t make exceptions<\/strong>.\u00a0 If someone gives you crap about it, &#8220;Oh, I see how you are!\u00a0 You don&#8217;t trust me!&#8221;, respond with &#8220;This is my PERSONAL computer, and there are PERSONAL things that I don&#8217;t want to share with anyone, including you.\u00a0 No offense.&#8221;\u00a0 Your true friends will respect your boundaries, and, well, anyone else doesn&#8217;t really matter, do they?<\/li>\n<li><strong>Make sure there are no sensitive files in &#8220;Public Documents&#8221;, &#8220;Public Pictures&#8221;, &#8220;Shared Documents&#8221;, &#8220;Shared Pictures&#8221;, or similar<\/strong>.\u00a0 Anything you don&#8217;t want your kids to see should NOT be &#8220;public&#8221; nor &#8220;shared&#8221;.<\/li>\n<li>Smart TVs and other Media Player devices can access your computer, if they are on the same WiFi network, and can display both PUBLIC and PERSONAL pictures and videos, sometimes without logging in!\u00a0 Again, if you have anything in your &#8220;Pictures&#8221; or &#8220;Videos&#8221; folders that you wouldn&#8217;t want your kids to see, move it to a new folder under &#8220;Documents&#8221; called &#8220;Private&#8221;.<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<p><strong>Configure individual user profiles, and use passwords to keep other users out of your stuff, and away from your online accounts.<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"iii-%e2%80%93-thou-shalt-secure-your-smart-phone\"><\/span>III &#8211; Thou Shalt Secure Your Smart Phone<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Your smart phone is the most personal device you own, and you take it everywhere you go.\u00a0 If it gets lost or stolen, you don&#8217;t want a stranger to be able to get to your stuff.<\/p>\n<p><strong>As with your computer profile, someone who gains access to your smart phone could steal your identity, steal your money, destroy your reputation, blackmail you, get you fired, and maybe even get you arrested.<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"best-practices-3\"><\/span>Best Practices<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ol>\n<li><strong>Do not use biometrics for security.<\/strong>\u00a0 This includes facial recognition, fingerprints, and anything else having to do with your body.\u00a0 Although this flies in the face of popularity, and at first, seems counter-intuitive, see &#8220;Thou Shalt Not Use Biometrics for Security&#8221; above.<\/li>\n<li><strong>Use a secure PIN or Password<\/strong> (see &#8220;Thou Shalt Construct Secure PINs and Passwords&#8221; below)<\/li>\n<li><strong>Use Android&#8217;s &#8220;Draw Pattern&#8221; lock feature<\/strong>.\u00a0 This is easy to use, intuitive, and very secure.\u00a0 Don&#8217;t use a simple \/ stupid or easily-guessed pattern.<\/li>\n<li><strong>Use Android&#8217;s &#8220;Guest Mode&#8221; (5.0 and up) when someone asks to use your phone<\/strong>.\u00a0 Guest mode allows the user to make phone calls and browse the internet, without access to install or remove applications, view pictures, or pair a device via BlueTooth.<\/li>\n<li><strong>If your phone doesn&#8217;t support &#8220;guest mode&#8221;, install a &#8220;guest mode&#8221; or &#8220;parental control&#8221; app<\/strong>, that prevents unauthorized users from accessing your photos, contacts, and applications.<\/li>\n<li><strong>Both Android and iPhone support &#8220;remote wipe&#8221; and device deactivation capabilities<\/strong>.\u00a0 Make sure you have this configured, along with the &#8220;find my phone&#8221; feature, so that if your phone is lost or stolen, you can log in to Google Play or iTunes (respectively), and delete your personal data or even better, deactivate (brick) your phone.<\/li>\n<li><strong>Configure your screen to lock automatically<\/strong>.\u00a0 Set the timeout to something tolerable, like 3-5 minutes.<\/li>\n<\/ol>\n<p><strong>Your smart phone is the nexus of your personal life, and a gateway to all of your online accounts.\u00a0 Make sure it&#8217;s protected.<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"iv-%e2%80%93-thou-shalt-construct-secure-pins-and-passwords\"><\/span>IV &#8211; Thou Shalt Construct Secure PINs and Passwords<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Follow these guidelines in order to construct a GOOD password.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"hard-to-guess-easy-to-remember\"><\/span>Hard to Guess, Easy to Remember<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>PINs and Passwords can be easy to guess (that&#8217;s bad) or hard to guess (that&#8217;s good).<\/p>\n<p>They can also be easy to remember (that&#8217;s good) or hard to remember (that&#8217;s bad).<\/p>\n<table style=\"height: 54px; border-collapse: collapse;\" border=\"1\" cellpadding=\"5\">\n<thead>\n<tr style=\"height: 18px;\">\n<td style=\"width: 33.3333%; text-align: center; height: 18px;\"><\/td>\n<td style=\"width: 33.3333%; text-align: center; height: 18px;\"><strong>Easy to Guess<\/strong><\/td>\n<td style=\"width: 33.3333%; text-align: center; height: 18px;\"><strong>Hard to Guess<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr style=\"height: 18px;\">\n<td style=\"width: 33.3333%; text-align: center; height: 18px;\"><strong>Easy to Remember<\/strong><\/td>\n<td style=\"width: 33.3333%; text-align: center; background-color: #ff0000; height: 18px;\">BAD<\/td>\n<td style=\"width: 33.3333%; background-color: #00ff00; text-align: center; height: 18px;\">GOOD<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"width: 33.3333%; text-align: center; height: 18px;\"><strong>Hard to Remember<\/strong><\/td>\n<td style=\"width: 33.3333%; background-color: #ff00cc; height: 18px; text-align: center;\">? WHY BOTHER ?<\/td>\n<td style=\"width: 33.3333%; background-color: #ff0000; text-align: center; height: 18px;\">BAD<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>Obviously, the best PIN or Password is HARD TO GUESS, but EASY TO REMEMBER.<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"avoid-dictionary-words-in-passwords\"><\/span>Avoid Dictionary Words in Passwords<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Attackers use long lists of words, called &#8220;dictionaries&#8221;, that they use when performing a brue-force attack, known as &#8220;cracking&#8221;.\u00a0 As you may guess, dictionaries consist of common words, but also include sports team names, names of places, and even celebrity names.<\/p>\n<p>When you construct a password, don&#8217;t use common words like &#8220;football&#8221;, or celebrity names like &#8220;Trump&#8221;.<\/p>\n<p>Here are some common methods to avoid cracking dictionaries:<\/p>\n<ul>\n<li><strong>Use a non-common misspelling.<\/strong>\u00a0 <strong>Instead of &#8220;football&#8221;, use &#8220;looftabb&#8221;<\/strong>.\u00a0 The caveat, of course, is that it must be easy to remember.\u00a0 If you forget your password, it does you no good.\u00a0 In this case, we are rearranging the sounds, and taking the analogous spelling.<\/li>\n<li><strong>Use Pig Latin.<\/strong>\u00a0 In Pig Latin, you take the first consonant sound, put it at the end of the word, and add &#8220;ay&#8221; to the end.\u00a0 Words starting with a vowel, simply get &#8220;ay&#8221; at the end.\u00a0 &#8220;football&#8221; becomes &#8220;ootballfay&#8221;.<\/li>\n<li><strong>Use &#8220;y&#8221; (or some other letter) for every vowel.<\/strong>\u00a0 &#8220;football&#8221; becomes &#8220;fytbyll&#8221;.\u00a0 Once again, make sure your substitution is consistent, and that you can remember that you used &#8220;fytbyll&#8221; and not &#8220;fyytbyll&#8221;.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"avoid-dictionary-words-in-pins\"><\/span>Avoid Dictionary Words in PINs<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>When constructing a PIN, many people will use touch-tone spelling.<\/p>\n<table style=\"border-collapse: collapse;\" border=\"1\">\n<tbody>\n<tr>\n<td style=\"width: 33.3333%; text-align: center;\">&nbsp;<\/p>\n<p>1<\/td>\n<td style=\"width: 33.3333%; text-align: center;\">ABC<\/p>\n<p>2<\/td>\n<td style=\"width: 33.3333%; text-align: center;\">DEF<\/p>\n<p>3<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 33.3333%; text-align: center;\">GHI<\/p>\n<p>4<\/td>\n<td style=\"width: 33.3333%; text-align: center;\">JKL<\/p>\n<p>5<\/td>\n<td style=\"width: 33.3333%; text-align: center;\">MNO<\/p>\n<p>6<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 33.3333%; text-align: center;\">P<span style=\"color: #ff0000;\">Q<\/span>RS<\/p>\n<p>7<\/td>\n<td style=\"width: 33.3333%; text-align: center;\">TUV<\/p>\n<p>8<\/td>\n<td style=\"width: 33.3333%; text-align: center;\">WXY<span style=\"color: #ff0000;\">Z<\/span><\/p>\n<p>9<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Originally, this was introduced in order to allow the user to convert a mnemonic to a number.\u00a0 For example, in the 50&#8217;s, &#8220;Houston 5678&#8221; would be converted to touch tone as HOU-5678, or 468-5678.<\/p>\n<p>In the late 90&#8217;s, people used this same scheme for &#8220;T9&#8221; texting &#8211; the ability to spell words using numbers, with intelligent prediction.<\/p>\n<p>Today, people tend to construct a PIN using this same scheme, which can be problematic.\u00a0 Although it&#8217;s easy to remember (which is good), it may also be easy to guess (which is bad).<\/p>\n<p>If my name is &#8220;Bill&#8221;, and I choose the PIN, &#8220;2455&#8221;, an attacker could easily guess this based on my name, or by using a dictionary attack.\u00a0 The same holds true for any 4, 6, or 8-digit word or name that I construct in to a PIN using touch-tone spelling.<\/p>\n<p>Here are some common methods to avoid PINs that are easy to guess using a cracking dictionary:<\/p>\n<ul>\n<li>When you select a PIN, use a site like <a href=\"http:\/\/www.aer.org\/\" target=\"_blank\" rel=\"noopener\">www.aer.org\/<\/a> ,which converts keypad number sequences in to words, and <strong>check to make sure that your PIN doesn&#8217;t correspond to a simple word<\/strong>.<\/li>\n<li>To make sure that your PIN doesn&#8217;t spell a word, <strong>always use a 1 or a 0 somewhere within your PIN<\/strong>.\u00a0 Neither 1 nor 0 correspond to a letter.<\/li>\n<li><strong>Intentionally misspell your word<\/strong>.\u00a0 For example, if your name is &#8220;Bill&#8221;, your PIN could be 2955, 2155, or 2055 instead.\u00a0 Try to be consistent, so that you don&#8217;t forget your PIN.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"avoid-too-much-733t-5p34k\"><\/span>Avoid Too Much 733T 5P34K<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><strong>(&#8220;Avoid Too Much LEET SPEAK&#8221;)<\/strong><\/p>\n<p>&#8220;Leet Speak&#8221; is where you substitute numbers and other symbols for letters in a word.\u00a0 For example, the letter &#8220;I&#8221; might become &#8220;1&#8221;, &#8220;!&#8221;, or &#8220;|&#8221;.<\/p>\n<p>While using a little bit of &#8220;Leet Speak&#8221; substitution can make your password harder to guess, using too much can make it really hard to remember.<\/p>\n<p>For example, did you use &#8220;|&lt;&#8221; for &#8220;K&#8221;, or &#8220;&amp;&#8221;?<\/p>\n<p>Remember that attackers use password cracking tools that employ a list of common words and names, called a dictionary&#8230; these password cracking tools can be configured to automatically perform &#8220;Leet Speak&#8221; substitutions, so even going to the extreme with Leet Speak doesn&#8217;t make your password that much more secure.<\/p>\n<p>Here are some Leet Speak best practices:<\/p>\n<ul>\n<li>Most websites and applications require &#8220;complexity&#8221;, which is another way of saying that they have rules about requiring a number, a symbol, and \/ or an upper-case letter.\u00a0 <strong>Leet Speak is a great way to incorporate a number or symbol in to your password, in a way that&#8217;s easy to remember.<\/strong>\u00a0 For example, use &#8220;!&#8221; for &#8220;I&#8221; or 0 for &#8220;O&#8221;, or flip one of the &#8220;E&#8221;&#8216;s in your password to a &#8220;3&#8221;.\u00a0 Just make sure you have a scheme, so that the substitutions are easy to remember.<\/li>\n<li><strong>Multi-symbol substitutions are stronger than single-symbol substitutions<\/strong>.\u00a0 For example, use &#8220;1&lt;&#8221; for &#8220;K&#8221;, &#8220;[)&#8221; for &#8220;D&#8221;, or &#8220;\\\/&#8221; for &#8220;U&#8221; or &#8220;V&#8221;.<\/li>\n<li><strong>Unlike keypad substitutions, Leet Speak is a great way to pick a PIN<\/strong>.\u00a0 For example, if you use the word &#8220;LIAR&#8221; as your PIN, it would be 5427, and because &#8220;liar&#8221; is a dictionary word, it would be quite simple to guess.\u00a0 Instead, if you use Leet substitutions, &#8220;LIAR&#8221; = &#8220;7147&#8221;.\u00a0 We keep the R=7 keypad substitution, since there isn&#8217;t an easy numeric substitution for &#8220;R&#8221;.\u00a0 Because our Leet PIN has a 1 in it, there is zero chance that it corresponds to a dictionary word.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"longer-passwords-are-more-secure-than-complex-ones\"><\/span>Longer Passwords are More Secure Than Complex Ones<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>We briefly touched on complexity above, and we&#8217;re all familiar with &#8220;pick your password&#8221; hell:<\/p>\n<blockquote><p>Your password must contain a number, a symbol, an upper-case letter, a heiroglyph, a gang sign, some alien writing, at least one species of flying insect, and a blood oath.<\/p><\/blockquote>\n<p>The purpose of requiring complexity is to increase the number of possible symbols in each position:<\/p>\n<table style=\"border-collapse: collapse;\" border=\"1\" cellpadding=\"5\">\n<tbody>\n<tr>\n<td style=\"width: 50%; text-align: center;\"><strong>Symbol Set<\/strong><\/td>\n<td style=\"width: 50%; text-align: center;\"><strong>Number of Symbols<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 50%; text-align: center;\">a-z<\/td>\n<td style=\"width: 50%; text-align: center;\">26<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 50%; text-align: center;\">a-z; A-Z<\/td>\n<td style=\"width: 50%; text-align: center;\">52<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 50%; text-align: center;\">a-z; A-Z; 0-9<\/td>\n<td style=\"width: 50%; text-align: center;\">62<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 50%; text-align: center;\">a-z; A-Z; 0-9;<br \/>\n!@#$%^&amp;*()-=_+<br \/>\n[]{};&#8217;:&#8221;,.&lt;&gt;\/?\\|<\/td>\n<td style=\"width: 50%; text-align: center;\">92<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>The thought process is that, by enforcing complexity, even a short password is fairly secure:<\/p>\n<table style=\"border-collapse: collapse;\" border=\"1\" cellpadding=\"5\">\n<thead>\n<tr>\n<td style=\"width: 119.917px;\"><strong>Password Length<\/strong><\/td>\n<td style=\"width: 125.317px;\"><strong>Combinations<\/strong><\/td>\n<td style=\"width: 116.767px;\"><strong>Time to crack<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"width: 119.917px;\">4<\/td>\n<td style=\"width: 125.317px;\">92^4 = 71.6 mil<\/td>\n<td style=\"width: 116.767px;\">2 hours<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 119.917px;\">5<\/td>\n<td style=\"width: 125.317px;\">92^5 = 6.6 bil<\/td>\n<td style=\"width: 116.767px;\">7.6 days<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 119.917px;\">6<\/td>\n<td style=\"width: 125.317px;\">92^6 = 606 bil<\/td>\n<td style=\"width: 116.767px;\">1.9 years<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 119.917px;\">7<\/td>\n<td style=\"width: 125.317px;\">92^7 = 55 E12<\/td>\n<td style=\"width: 116.767px;\">176 years<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 119.917px;\">8<\/td>\n<td style=\"width: 125.317px;\">92^8 = 5 E15<\/td>\n<td style=\"width: 116.767px;\">16,274 years<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><em>(Assumes 10,000 attacks per second.\u00a0 Hash attacks can be performed much faster, but actual authentication attempts are much slower)<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>However, even if we use just upper and lower-case letters, we can get almost the same level of security:<\/p>\n<table style=\"border-collapse: collapse;\" border=\"1\" cellpadding=\"5\">\n<thead>\n<tr style=\"height: 54px;\">\n<td style=\"width: 98px; height: 54px;\"><strong>Password Length<\/strong><\/td>\n<td style=\"width: 140px; height: 54px;\"><strong>Combinations<\/strong><\/td>\n<td style=\"width: 107px; height: 54px;\"><strong>Time to Crack<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr style=\"height: 18px;\">\n<td style=\"width: 98px; height: 18px;\">8<\/td>\n<td style=\"width: 140px; height: 18px;\">52^8 = 53 E12<\/td>\n<td style=\"width: 107px; height: 18px;\">169 years<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"width: 98px; height: 18px;\">9<\/td>\n<td style=\"width: 140px; height: 18px;\">52^9 = 2.7 E15<\/td>\n<td style=\"width: 107px; height: 18px;\">8,815 years<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"width: 98px; height: 18px;\">10<\/td>\n<td style=\"width: 140px; height: 18px;\">52^10 = 144 E15<\/td>\n<td style=\"width: 107px; height: 18px;\">458,381 years<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>At 8 positions, using only upper and lower-case letters, we have almost the same level of security as 7 positions using letters, numbers, and symbols.<\/p>\n<p>By increasing your password to 10 positions, and using ONLY upper and lower-case letters, you can far exceed the security of a highly-complex, 8-position password.<\/p>\n<p><strong>Longer passwords are always stronger, with or without high complexity.<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"use-text-icon-substitution\"><\/span>Use Text Icon Substitution<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>I know I just said that complexity doesn&#8217;t matter.\u00a0 It makes your password hard to guess, but too much complexity also makes it really hard to remember.<\/p>\n<p>However, you can use a &#8220;text icon&#8221; as a simple substitution for a letter within your password, which makes your password complex, yet much easier to remember.<\/p>\n<p>For example, let&#8217;s say that your password is &#8220;ilikekittens&#8221;.\u00a0 You might substitute a smiley &#8220;:-)&#8221; for the letter &#8220;e&#8221;, resulting in &#8220;ilik:-)kitt:-)ns&#8221;<\/p>\n<p>Because we are substituting one symbol for three, this has the effect of adding complexity, increasing the password length, and it&#8217;s also virtually guaranteed to defeat dictionary attacks.<\/p>\n<p>If you do use a text icon, just make sure you can type it quickly, and correctly, or you risk being locked out!<\/p>\n<p>Don&#8217;t be afraid to use your imagination.\u00a0 Here are some examples:<\/p>\n<table style=\"border-collapse: collapse;\" border=\"1\">\n<tbody>\n<tr>\n<td style=\"width: 120px; text-align: center;\">[-o-]<\/td>\n<td style=\"width: 172px; text-align: center;\">Tie Fighter<\/td>\n<td style=\"width: 145px; text-align: center;\">t[-o-]ef[-o-]ghter<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 120px; text-align: center;\">\\o-o\\<\/td>\n<td style=\"width: 172px; text-align: center;\">Glasses<\/td>\n<td style=\"width: 145px; text-align: center;\">gl\\o-o\\sses<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 120px; text-align: center;\">\\=\/<\/td>\n<td style=\"width: 172px; text-align: center;\">Glass of water<\/td>\n<td style=\"width: 145px; text-align: center;\">gl\\=\/ssofw\\=\/ter<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 120px; text-align: center;\">+&#8211;<\/td>\n<td style=\"width: 172px; text-align: center;\">Ninja Sword<\/td>\n<td style=\"width: 145px; text-align: center;\">ninjas+&#8211;ord<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 120px; text-align: center;\">~v~<\/td>\n<td style=\"width: 172px; text-align: center;\">Eagle<\/td>\n<td style=\"width: 145px; text-align: center;\">m~v~agl~v~<br \/>\n<em>(See &#8220;Make it Hard to Crack&#8221; for an explanation of the &#8220;m&#8221;)<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"make-it-hard-to-crack\"><\/span>Make it Hard to Crack<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>After performing a dictionary attack, an attacker will typically revert to a brute-force attack, where the cracking program attempts to try every possible combination of letters, numbers, and symbols in each position.<\/p>\n<p>First, it tries every 1-digit password, so it tries &#8220;A&#8221;, then &#8220;B&#8221;, etc&#8230; to &#8220;Z&#8221;, then it starts with lower-case &#8220;a&#8221; through lower-case &#8220;z&#8221;, then it tries each digit &#8220;0&#8221; through &#8220;9&#8221;, and finally, it tries each symbol, such as &#8220;$&#8221; or &#8220;%&#8221;.<\/p>\n<p>Once it tries every 1-digit password, it moves on to every 2-digit password, starting with &#8220;AA&#8221; and ending with &#8220;%%&#8221; (perhaps).<\/p>\n<p>And so on.<\/p>\n<p>A clever attacker can set limits based on what they know about the environment, and customize the execution of the cracking program.\u00a0 For example, if the attacker knows that the system in question requires a minimum password length of 6 positions, or that the system in question won&#8217;t allow &#8220;&lt;&#8221; or &#8220;&gt;&#8221; (common for web applications to filter these out), then (s)he can set those limits within the cracking program, in order to reduce the amount of work to be performed, and hopefully reduce the time it takes to crack one or more passwords.<\/p>\n<p>Although any password should be equally secure, as you can see, if your password starts with the letter &#8220;A&#8221;, the cracking program will find it LONG before someone else&#8217;s password that starts with the letter &#8220;Z&#8221;.<\/p>\n<p>Since the cracking program can be customized, you don&#8217;t know whether the attacker will start with numbers first (0-9), or symbols, or letters, nor can you tell which symbols the attacker will choose to include.\u00a0 (Example, &#8220;&lt;&#8221; and &#8220;&gt;&#8221; are typically excluded because this mechanism is used as an attack vector to attempt to bypass web application security).<\/p>\n<p>Therefore, your best bet is to start your password with a letter.\u00a0 In fact, many web applications require the first symbol to be a letter.\u00a0 Most often, the cracking tool is configured by default to check numbers, then upper-case letters, then lower-case letters, then symbols, because this is the order that they appear in the computer&#8217;s ASCII symbol table, but you can&#8217;t guarantee that the attacker hasn&#8217;t customized the sequence.\u00a0 So your best bet is to start with a LOWER-CASE letter.<\/p>\n<p>If you could guarantee that the attacker always starts with &#8220;a&#8221; and progresses with every password combination until the cracking program hits &#8220;z%%%%%&#8221; (or whatever), then you would always start your password with &#8220;z&#8221;, but guess what?\u00a0 The attacker could run the attack in reverse.\u00a0 As a matter of fact, a smart attacker will run TWO cracking sessions &#8211; one forward, and the other on a second computer, running in reverse, which doubles the odds of hitting the correct password in half the time.<\/p>\n<p>So your best bet is to pick a password that starts with a lower-case letter that occurs in the middle of the alphabet &#8211; somewhere in the range of &#8220;i&#8221; to &#8220;r&#8221;.<\/p>\n<p>Likewise, when selecting a PIN, pick something that starts with &#8220;3&#8221; through &#8220;7&#8221;.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"how-to-construct-a-good-password\"><\/span>How to Construct a Good Password<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ol>\n<li>String some words together, to make your password LONG<\/li>\n<li>Use a few random capital letters<\/li>\n<li>Make a couple of &#8220;Leet Speak&#8221; substitutions<\/li>\n<li>Put symbols between words<\/li>\n<li>Substitute one or more letters for a text icon<\/li>\n<\/ol>\n<p>Example:<\/p>\n<ol>\n<li>Start with &#8220;hockeyiscool&#8221;<\/li>\n<li>Make some random capital letters and leet speak substitutions:\u00a0 &#8220;h0ck3yiSCooL&#8221;<\/li>\n<li>Add some symbols:\u00a0 &#8220;h0ck3y$iS%CooL&#8221;<\/li>\n<li>Throw in a text icon substitution, &#8220;\\_&#8221; = a hockey stick, and we will substitute for &#8220;o&#8221;:\u00a0 &#8220;h0ck3y$iS%C\\_\\_L&#8221;<\/li>\n<\/ol>\n<p>Depending on what the password protects, this might be way overkill.\u00a0 You have to judge for yourself, based on the risk that someone might gain access to the system, and the value of the information it protects.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"how-to-derive-a-password\"><\/span>How to Derive a Password<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>IDEALLY, YOU SHOULDN&#8217;T<\/p>\n<p>However, sometimes it&#8217;s expedient or convenient to have a set of passwords that are similar, for related applications.<\/p>\n<p>The easiest way to do this is to pick a few positions, and alter them in a predictable way.<\/p>\n<p>For example, let&#8217;s say that our base password is &#8220;h0ck3y$iS%C\\_\\_L&#8221; (from above), but our application doesn&#8217;t allow &#8220;%&#8221; symbol.\u00a0 The easiest thing to do is to substitute another $:\u00a0 &#8220;h0ck3y$iS$C\\_\\_L&#8221;.<\/p>\n<p>The trick is to do this in such a way that you won&#8217;t forget it in a month, the next time you go to use it.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"how-to-construct-a-good-pin\"><\/span>How to Construct a Good PIN<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ol>\n<li>Use as many digits as is feasible (not too long to remember easily).<\/li>\n<li>Pick a word that&#8217;s as long as your PIN, or longer<\/li>\n<li>FIRST, use &#8220;Leet Speak&#8221; to convert as many letters to numbers as possible<\/li>\n<li>THEN, use keypad alpha codes to convert the remaining letters<\/li>\n<li>If you have more digits than you need, discard 1 or more of the initial digits<\/li>\n<li>Make sure your pin does not start with 1 or 9.<\/li>\n<li>Make sure your pin includes at least a &#8220;1&#8221; or &#8220;0&#8221; (or both) so that it definitely does not spell a dictionary word<\/li>\n<li>If you can manage to remember it, transpose two of the digits<\/li>\n<\/ol>\n<p>Example:<\/p>\n<ol>\n<li>We need a 6-digit PIN, so we start with &#8220;crocodile&#8221;<\/li>\n<li>We convert as many digits as possible using leet:\u00a0 &#8220;cr0c0d1l3&#8221;<\/li>\n<li>We convert the remaining digits using keypad alpha:\u00a0 &#8220;270203153&#8221;<\/li>\n<li>We discard the weak 2, and take the next 6 digits:\u00a0 702031\u00a0 = &#8220;rocodi&#8221;<\/li>\n<li>We have two zeros and a one, which is actually too many ones and zeros, so we change the first one in to a 4:\u00a0 742031<\/li>\n<li>My final PIN is:\u00a0 c + r4c031 + le\u00a0 (I can either look at the keypad, or remember that r = 7 and c=3)<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"deriving-a-shorter-pin\"><\/span>Deriving a Shorter PIN<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Let&#8217;s say that we have our PIN, 742031, and we want to match this across several systems, but some of the systems only accept a 4-digit PIN<\/p>\n<p>Although it&#8217;s a bad idea to reuse a PIN, there may be a legitimate reason, or maybe convenience outweighs the need for absolute security.<\/p>\n<ul>\n<li>Do not use the first 4 digits.\u00a0 If your standard PIN becomes compromised, they will check &#8220;7420&#8221; first<\/li>\n<li>Do not use the first digit at all.<\/li>\n<li>Take the remaning digits, and have some kind of scheme, such as 4203 (center 4) or 1302 (last 4, backwards), 2430 (center digits, rearranged)<\/li>\n<\/ul>\n<p>Again, DO NOT SHARE PINs BETWEEN SYSTEMS, unless the need for security is trivial.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"deriving-a-longer-pin\"><\/span>Deriving a Longer PIN<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Let&#8217;s say we normally use a 4-digit PIN, 7420, and for some reason, we need a few extra digits.<\/p>\n<blockquote><p>Anecdote:\u00a0 We have two cipher locks that take a 4-digit PIN, and 3 vehicles that use a 5-digit PIN.\u00a0 I won&#8217;t go in to detail, but one is a subset of the other, because there is absolutely zero risk of someone compromising my car, my garage, and my shed, all for the same reason.<\/p>\n<p>If we delve in to this a little, all three cars use ONE keyless entry code, which is TERRIBLE.\u00a0 At the very least, each vehicle should differ by 1 digit.\u00a0 However, I live with other human beings who aren&#8217;t so good at remembering several different PIN codes, so we tend to reuse some of them.\u00a0 We don&#8217;t store any valuables in the vehicles, so even if someone did guess my keyless entry code, and managed to open all three of my vehicles, there&#8217;s very little that they could accomplish with this information.<\/p>\n<p><strong>Sometimes, making a system perfectly secure, also makes it a perfect pain in the ass.\u00a0 You have to weigh ultimate security against convenience.\u00a0 If a system is so complicated that someone has to write down their PIN, then the PIN is PHYSICALLY there for someone to steal, and you&#8217;ve defeated the purpose.<\/strong><\/p><\/blockquote>\n<p>For example, your normal pin is used in conjunction with your badge to enter the server room, but there is a cipher lock at the offsite storage location which requires 6 digits (and no badge)<\/p>\n<ul>\n<li>DO NOT just add digits to the end<\/li>\n<li>Throw in some 1&#8217;s 0&#8217;s or 9&#8217;s:\u00a0 74<strong>1<\/strong>20<strong>9<\/strong><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"v-%e2%80%93-thou-shalt-protect-your-identity\"><\/span>V &#8211; Thou Shalt Protect Your Identity<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>When you sign up for a new account, sometimes they ask you for your first dog&#8217;s name, or the street address where your Mom lived when you were growing up.<\/p>\n<p><strong>Personal information should NEVER be disclosed no matter what!<\/strong><\/p>\n<p>You can&#8217;t just assume that your favorite website is using all of that information for the forces of good!<\/p>\n<p>Never give out:<\/p>\n<ul>\n<li>Your date of birth<\/li>\n<li>Your year of birth<\/li>\n<li>Your zip code (add or subtract 1, unless you are buying online)<\/li>\n<li>Social Security<\/li>\n<li>Driver&#8217;s License number<\/li>\n<li>Mother&#8217;s maiden name<\/li>\n<li>Personal details about your life<\/li>\n<\/ul>\n<p>If I wanted to, I could randomly throw in a personal question every 2-3 times you log in, and slowly build a psychological profile of you, that I could then manipulate for the purposes of marketing.\u00a0 I could ask you questions about your dad, to figure out who you will vote for in the next election, or questions about your mom, to figure out how much you&#8217;re willing to spend on my website, and run an algorithm to bump my prices up or down, accordingly.<\/p>\n<p>Don&#8217;t think that this isn&#8217;t out there in the wild today &#8211; because it is.<\/p>\n<ul>\n<li>When a website asks you the name of your first pet, answer &#8220;yellow&#8221;.<\/li>\n<li>When they ask you your favorite color, answer &#8220;yellow&#8221;.<\/li>\n<li>If they conplain that you can&#8217;t have the same answer for two questions, answer &#8220;orange&#8221;<\/li>\n<li>What year were you born?\u00a0 1990 (whether you were born in 1990 or not)<\/li>\n<li>What&#8217;s your birthday?\u00a0 June 1<\/li>\n<li>What&#8217;s the street adress of the house in which you grew up?\u00a0 111 mainstreet USA<\/li>\n<\/ul>\n<p><strong>LIE, LIE, LIE.<\/strong><\/p>\n<p>Your personal information is the MOST IMPORTANT COMMODITY on the internet.<\/p>\n<p>Make sure everything you give out is fake, but make sure you have your answers written down somewhere in case you need them.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"vi-%e2%80%93-thou-shalt-protect-your-e-mail\"><\/span>VI &#8211; Thou Shalt Protect Your E-Mail<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><strong>Most of everything you do online ties back to your e-mail.<\/strong><\/p>\n<p>From online banking to buying online, either you use your e-mail address as part of your credentials, or you supply your e-mail address for the purpose of resetting your password.<\/p>\n<p>If someone gains access to your e-mail, it would take only a few minutes to figure out where you shop online, who you bank with, determine all of your social media accounts, and potentially gain access to all of these.<\/p>\n<p>Protecting your e-mail is so important, it gets its own set of commandments&#8230;<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"i-%e2%80%93-thou-shalt-use-a-unique-password-for-e-mail\"><\/span>i &#8211; Thou Shalt Use a Unique Password for E-mail<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>We hear about data breaches every day, and often, the data that&#8217;s disclosed includes passwords.<\/p>\n<p>Ideally, no website should store any passwords, as the best way to handle authentication is to store a secure hash of the password, and discard the password itself.\u00a0 For more information, see <a href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/the-importance-of-hashing-passwords\/\" target=\"_blank\" rel=\"noopener\">The Importance of Hashing Passwords<\/a>.<\/p>\n<p>Unfortunately, inexperienced developers simply store the password in cleartext, in the database, so that it&#8217;s right there for a hacker to steal!<\/p>\n<p>This means that if you use the same password for your email, and for your account on XYZ.com, that if XYZ.com is breached, they now have your e-mail address, and your e-mail password.<\/p>\n<p><strong>Make sure your e-mail password is unique.\u00a0 Don&#8217;t reuse your e-mail password, nor a variant, for any other system or website.<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"ii-%e2%80%93-thou-shalt-use-a-strong-password-for-e-mail\"><\/span>ii &#8211; Thou Shalt Use a Strong Password for E-mail<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Even though it goes without saying, it&#8217;s important enough to mention twice.<\/p>\n<p><strong>Your e-mail password should be the most secure password you use.<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"iii-%e2%80%93-thou-shalt-use-a-secure-e-mail-platform\"><\/span>iii &#8211; Thou Shalt use a Secure E-mail Platform<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Unless you&#8217;re Hillary Clinton, your e-mail should remain as secure as possible.<\/p>\n<p>Once upon a time, e-mail was something you downloaded from your ISP.\u00a0 You would fire up a copy of <a href=\"https:\/\/en.wikipedia.org\/wiki\/Eudora_(email_client)\" target=\"_blank\" rel=\"noopener\">Eudora<\/a> or <a href=\"https:\/\/en.wikipedia.org\/wiki\/Outlook_Express\" target=\"_blank\" rel=\"noopener\">Outlook Express<\/a>, enter some arcane settings to configure your e-mail server settings, and click &#8220;download&#8221;.\u00a0 You might read your e-mail offline, and maybe even reply, and then &#8220;sync up&#8221; your e-mail the next time you connected.<\/p>\n<p>Then came &#8220;Hotmail&#8221;, and everything changed.\u00a0 Hotmail was the first mainstream, online, fully-functional web client &#8211; you could go to a website from any internet-connected computer in the world, and read your e-mail.\u00a0 And, if you changed ISPs, you didn&#8217;t need to change your e-mail address, nor pay your old ISP for forwarding.<\/p>\n<p>Soon, Yahoo arose as a major competitor, and every ISP soon adopted their own flavor of web-based e-mail.\u00a0 Later, Google got in to the act, with GMail, and finally, Microsoft bought Hotmail.<\/p>\n<p>So the top 3 &#8220;cloud&#8221; e-mail platforms today are Outlook Live (formerly Hotmail), Yahoo Mail, and Google GMail.<\/p>\n<p>Although there are still some small, dark corners of the internet which offer anonymous e-mail, if you go with any of the big-3, be prepared to sacrifice your real identity, and supply a phone number for validation and password recovery.\u00a0 Just like Facebook, they want as much personal information as they can siphon off of you, so that they can use it for marketing.<\/p>\n<ul>\n<li>Yahoo had a major account \/ data breach in 2014<\/li>\n<li>Google has stated that they have bots that read your e-mail, scanning for keywords<\/li>\n<li>Outlook Live has stability and reliability issues, and suffers from feature-bloat.\u00a0 And in light of Windows 10 privacy issues, don&#8217;t expect a Microsoft-hosted application to place its first priority on privacy.<\/li>\n<li>All three of them respond to thousands of FISA warrants per day<\/li>\n<\/ul>\n<p>So what does all of this mean?<\/p>\n<ul>\n<li>The Yahoo breach was pretty serious, but they did require all of their subscribers to change e-mail passwords, and made security changes and improvements to ensure that the attackers responsible for the 2014 breach did not have continued access to compromised data or e-mail accounts.\u00a0 (Again:\u00a0 SHAME ON YOU, YAHOO, FOR STORING PASSWORDS RATHER THAN PASSWORD HASHES)<\/li>\n<li>Regardless of who you use, the government probably has ready access to your e-mail.\u00a0 There&#8217;s no way around it, unless you host your own.<\/li>\n<li>Regardless of who you use, your provider will be scanning your e-mail, looking for relevant content and building a marketing profile on you.<\/li>\n<\/ul>\n<p><strong>The good news is that all three have draconian password policies, require authentication in order to make account changes, require a 2nd factor (phone or recovery e-mail account) in order to reset your password, and they send you an e-mail or text message if your e-mail is accessed from an unknown computer or device.<\/strong><\/p>\n<p>&nbsp;<\/p>\n<blockquote>\n<h3><span class=\"ez-toc-section\" id=\"side-quest-secure-messaging-through-encryption\"><\/span>Side Quest:\u00a0 Secure Messaging Through Encryption<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>As we&#8217;ve seen, even though <em>access<\/em> to your e-mail is fairly secure, obviously, you can&#8217;t guaranty that the government or some marketing corporation isn&#8217;t snarfing up your e-mail messages in order to determine whether you&#8217;re a criminal, or want to buy shoes (respectively).<\/p>\n<p>So how do you send something super-secret or super-sensitive through e-mail?<\/p>\n<p>The answer is encryption.<\/p>\n<p>1. Use a text editor or word processor to type up your e-mail<\/p>\n<p>2. Use a program such as PGP or WinRAR to encrypt it<\/p>\n<p>3. Attach the PGP or RAR file as an attachment to a normal e-mail that simply says, &#8220;here&#8217;s that file you wanted&#8221;.<\/p>\n<p>4. Assuming that the recipient knows how to decrypt the file, and has the decryption password, they decrypt the file and then read your &#8220;real&#8221; message &#8211; like maybe the secret plans to the Death Star.<\/p>\n<p>If you are interested in encryption, and want to know more about it, check out <a href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/public-key-infrastructure-pki-and-encryption-simplified\/\" target=\"_blank\" rel=\"noopener\">Public Key Infrastructure (PKI) and Encryption, Simplified<\/a>.<\/p><\/blockquote>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"iv-%e2%80%93-thou-shalt-not-use-your-isp-for-e-mail\"><\/span>iv &#8211; Thou Shalt Not Use Your ISP for E-mail<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Although we covered this above, it bears mentioning again.<\/p>\n<p>If you use your ISP for e-mail, and then use that e-mail address for password recovery for other accounts, then if you change your ISP, you won&#8217;t be able to recover your other accounts (duh).<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"v-%e2%80%93-thou-shalt-change-your-e-mail-password\"><\/span>v &#8211; Thou Shalt Change Your E-mail Password<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>(Often)<\/p>\n<p>Let&#8217;s face it:\u00a0 password changes are a complete PITA.\u00a0 When I see that prompt, &#8220;you have 10 days to change your password&#8221;, I just absolutely know that I&#8217;ll wait until day 9, JUST because I don&#8217;t want to deal with it.<\/p>\n<p>When it comes time to change your password, you need something easy to remember, but then you run afoul of &#8220;password hell&#8221; &#8211; the rules requiring complexity practically turn it in to a scavenger hunt:<\/p>\n<blockquote><p>Your password needs to include a species of omnivorous jungle cat, two scrabble tiles, an imaginary number, and a blind warrior-poet, preferably from the middle ages.<\/p><\/blockquote>\n<p>BUT, your e-mail password is the MOST IMPORTANT password you have.<\/p>\n<p>SO CHANGE IT.<\/p>\n<p>I say &#8220;often&#8221;, but the corporate definition of &#8220;often&#8221; is to change it every 2-3 months.<\/p>\n<p><strong>In the &#8220;real&#8221; world, if you change your e-mail password every 6 months, you&#8217;ll be just fine.\u00a0 BUT CHANGE IT (often).<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"vi-%e2%80%93-thou-shalt-not-stay-signed-in-to-e-mail\"><\/span>vi &#8211; Thou Shalt Not Stay Signed In To E-mail<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Most e-mail services offer a &#8220;keep me signed in&#8221; check box.<\/p>\n<p>DO NOT CHECK &#8220;KEEP ME SIGNED IN&#8221; FOR YOUR E-MAIL<\/p>\n<p>Even with this feature disabled, the timout is usually long enough, such that you only get prompted 2-3 times per day.<\/p>\n<p><strong>Getting prompted means that someone who has access to your browser session doesn&#8217;t have automatic access to your e-mail.<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"vii-%e2%80%93-thou-shalt-maintain-a-working-password-recovery-e-mail-and-phone-number\"><\/span>vii &#8211; Thou Shalt Maintain a Working Password Recovery E-mail and Phone Number<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The &#8220;big 3&#8221; e-mail providers are able to help you reset your password using a &#8220;recovery code&#8221; that they send, either to your &#8220;recovery e-mail address&#8221;, which is a second e-mail account to which you have told them you have access, or via text to a &#8220;recovery phone number&#8221; (your cell phone).<\/p>\n<p>Make sure these are kept up to date.<\/p>\n<p>You should set up a 2nd e-mail account, either with the same provider or another.\u00a0 Once you have a &#8220;verified&#8221; e-mail account, it&#8217;s very simple to set up a 2nd account, so DO IT!!<\/p>\n<p>If you change cell phone numbers for some reason, MAKE SURE you update your recovery phone number.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"vii-%e2%80%93-thou-shalt-use-unique-user-names\"><\/span>VII &#8211; Thou Shalt Use Unique User Names<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Your password is HALF of your login credentials.<\/p>\n<p>The other half is your user name.<\/p>\n<p>The problem is that most people use the same user name for every website, and even worse, many websites use your e-mail address as your user name.<\/p>\n<p>Although this is easy to remember, it also makes an attacker&#8217;s job that much easier.<\/p>\n<p><strong>If I know your e-mail address, I probably already have half of what I need to break in to any of your online accounts.<\/strong><\/p>\n<p><strong>User Name best practices:<\/strong><\/p>\n<ul>\n<li><strong>Only use a user name ONCE<\/strong>.\u00a0 Never use a user name for more than one website.<\/li>\n<li>Keep a spreadsheet or notepad, listing your user names and corresponding websites.\u00a0 In case the file is compromised, either <strong>make sure it&#8217;s encrypted, or make sure you DO NOT list your passwords<\/strong>.<\/li>\n<li><strong>Make sure your e-mail password is NOT LISTED in your file<\/strong>.\u00a0 Suck it up.\u00a0 Memorize it.<\/li>\n<li><strong>Use random letters and numbers as your user name for every website<\/strong>.\u00a0 Most websites require that your user name starts with a letter.<\/li>\n<li>Many websites,<strong> unfortunately<\/strong>, use your e-mail address as your username.\u00a0 I say &#8220;unfortunately&#8221;, because this is not secure.\u00a0 <strong>Consider using a service, such as <a href=\"https:\/\/sneakemail.com\/\" target=\"_blank\" rel=\"noopener\">Sneak Email<\/a>, that gives you disposable e-mail addresses<\/strong>.\u00a0 This has the added benefit, that if you start getting spam from a specific website, you can turn off the corresponding e-mail address.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"viii-%e2%80%93-thou-shalt-protect-your-finances\"><\/span>VIII &#8211; Thou Shalt Protect Your Finances<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Make sure you use a separate password and user name for:<\/p>\n<ul>\n<li>Each banking website<\/li>\n<li>Stock trading<\/li>\n<li>Each Credit Card website<\/li>\n<li>Paypal (or similar)<\/li>\n<\/ul>\n<p><strong>Using a unique user name makes your bank account TWICE as hard to break in to.<\/strong><\/p>\n<p>If you have an account that is linked to your money, you should have a unique username and password for that account, and make sure that the username + password combination is used NOWHERE ELSE, even on another banking website.<\/p>\n<p><strong>If your bank offers additional authentication, USE IT.<\/strong><\/p>\n<p>Some banks offer <a href=\"https:\/\/en.wikipedia.org\/wiki\/PhoneFactor\" target=\"_blank\" rel=\"noopener\">PhoneFactor<\/a> authentication, which sends a text message to your cell phone as part of the login process.<\/p>\n<p>Other banks have proprietary authentication factors, where you respond to a question or pick out a picture.\u00a0 Remember to NEVER give out personal information, but definitely take advantage of the added security.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"i-%e2%80%93-thou-shalt-use-separate-bank-accounts-for-receivables-and-payables\"><\/span>i &#8211; Thou Shalt Use Separate Bank Accounts for Receivables and Payables<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>(Sorry for the mini-commandment)<\/p>\n<p><strong>Simplified:\u00a0 Thou shalt put your money-coming-in, in a separate bank account from your money-going-out.<\/strong><\/p>\n<p>Why?<\/p>\n<p>If some company accidentally overdrafts your account, you don&#8217;t want all of your money to disappear!<\/p>\n<p>Also, make sure &#8220;overdraft protection&#8221; is TURNED OFF!!!<\/p>\n<p>If some asshole clerk mistypes your bill as $3000 instead of $30, or some computer programmer can&#8217;t calculate where a decimal place sits, then you might get SAVAGELY OVERCHARGED.<\/p>\n<p>If you have overdraft protection enabled, your bank will simply pay the bill!\u00a0 No questions asked!\u00a0 And then charge you A LOT OF MONEY.<\/p>\n<p>With overdraft protection disabled, and by having a separate account, should an overdraft occur due to some company&#8217;s error, you don&#8217;t have to worry about your REAL money (held in a separate account), nor repaying a debt that you don&#8217;t owe.\u00a0 It&#8217;s much easier to have the bank reverse any overdraft fees once the mistake is identified, versus going around for weeks without any cash.<\/p>\n<p><strong>Always keep just enough in your &#8220;outgoing&#8221; account to pay your bills, and leave the rest in &#8220;incoming&#8221; or move it to &#8220;savings&#8221;.<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"ix-%e2%80%93-thou-shalt-not-stay-signed-in\"><\/span>IX &#8211; Thou Shalt Not Stay Signed In<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Sites such as Amazon and other reputable online retailers prompt for your credentials before allowing you to make a purchase.<\/p>\n<p>However, if you &#8220;stay signed in&#8221; to Facebook, anyone can post anything as you, and read everything you&#8217;ve ever posted.<\/p>\n<p>It takes just a few seconds to enter your password, but the damage someone can do with your account could cost you money, reputation, or income.<\/p>\n<p><strong>Do not stay signed in.<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"x-%e2%80%93-thou-shalt-follow-a-risk-based-approach-for-passwords\"><\/span>X &#8211; Thou Shalt Follow a Risk-Based Approach for Passwords<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><strong>Every time you create a password, you&#8217;re creating a key, but you&#8217;re also creating a lock &#8211; it protects something that has to stay locked up and secure when you&#8217;re NOT using it.<\/strong><\/p>\n<p>When you create a password, ask yourself:<\/p>\n<p>If someone\u00a0<strong>who hates me<\/strong> got access to this information or service, what could they do with it, and how bad could this hurt me?<\/p>\n<p>For example, if someone hacks your Amazon account, yes, that&#8217;s bad, but ultimately either Amazon or your credit card company will reimburse the charges once you prove that they&#8217;re fraudulent.<\/p>\n<p>However, is someone hacks your e-mail, they could bankrupt you by resetting all of your passwords,\u00a0 send a &#8220;screw you, I quit&#8221; e-mail to your boss, and a &#8220;dear john\/jane&#8221; letter to your significant other.<\/p>\n<p>So obviously, e-mail is more sensitive (higher risk) than Amazon, and must be protected accordingly.<\/p>\n<p>Conversely, if someone hacks your password on &#8220;ILikeCats.com&#8221;, I&#8217;m sure your reputation won&#8217;t suffer too badly, and thus, using a convenient password (possibly less-secure) is appropriate.<\/p>\n<p><strong>When you create a password, make sure the LOCK that your password represents, is strong enough to protect against the worst thing that could happen to you, if someone who hates you gains access to what the lock protects.<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Thou shalt follow these commandments in order to create and maintain a secure password strategy<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"i-%e2%80%93-thou-shalt-not-use-biometric-security\"><\/span>I &#8211; Thou Shalt Not Use Biometric Security<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>(Beware false prophets)<\/p>\n<p>Biometrics are not secure.\u00a0 Every biometric security measre in existence today, or that will ever be devised, can be easily bypassed.<\/p>\n<p>Use a PIN or password instead, and consider multifactor authentication such as PhoneFactor or PKI certificate.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"ii-%e2%80%93-thou-shalt-log-in-to-your-computer-2\"><\/span>II &#8211; Thou Shalt Log In to Your Computer<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Good security extends from end to end, and the starting point for any security strategy begins when you log in to your computer.<\/p>\n<p>Create profiles for each user, enable passwords, and enable a screen lock timeout for your profile.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"iii-%e2%80%93-thou-shalt-secure-your-smart-phone-2\"><\/span>III &#8211; Thou Shalt Secure Your Smart Phone<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Your Smart Phone is incredibly personal, and has ready access to all of your online accounts.<\/p>\n<p>Make sure you use a PIN or password to secure your phone, use Guest Mode if your phone supports it (or download a parental control app), and configure a screen lock timeout.<\/p>\n<p>If your device supports it, go online and configure &#8220;find my phone&#8221;, remote wipe, and \/ or remote device deactivation, so that if your phone is lost or stolen, no one can access your stuff.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"iv-%e2%80%93-thou-shalt-construct-secure-pins-and-passwords-2\"><\/span>IV &#8211; Thou Shalt Construct Secure PINs and Passwords<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li>Hard to Guess, Easy to Remember<\/li>\n<li>Avoid words and names that might appear in a cracking dictionary<\/li>\n<li>Avoid too much Leet Speak<\/li>\n<li>Longer is more secure than complex<\/li>\n<li>Get creative with text icon substitution<\/li>\n<li>Make it hard to crack by breaking up words or misspelling words, and make sure your password starts with a letter toward the middle of the alphabet<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"v-%e2%80%93-thou-shalt-protect-your-identity-2\"><\/span>V &#8211; Thou Shalt Protect Your Identity<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>A determined and persistent attacker could build a database of your personal information by carefully mining password recovery questions.<\/p>\n<p>Always LIE LIE LIE, but make sure you either write it down, or have a scheme for the answers.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"vi-%e2%80%93-thou-shalt-protect-your-e-mail-2\"><\/span>VI &#8211; Thou Shalt Protect Your E-Mail<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Virtually everything you do online ties back to your e-mail.<\/p>\n<p>i &#8211; Thou Shalt Use a Unique Password for E-mail<\/p>\n<p>ii &#8211; Thou Shalt Use a Strong Password for E-mail<\/p>\n<p>iii &#8211; Thou Shalt use a Secure E-mail Platform<\/p>\n<p>iv &#8211; Thou Shalt Not Use Your ISP for E-mail<\/p>\n<p>v &#8211; Thou Shalt Change Your E-mail Password (often)<\/p>\n<p>vi &#8211; Thou Shalt Not Stay Signed In To E-mail<\/p>\n<p>vii &#8211; Thou Shalt Maintain a Working Password Recovery E-mail and Phone Number<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"vii-%e2%80%93-thou-shalt-use-unique-user-names-2\"><\/span>VII &#8211; Thou Shalt Use Unique User Names<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>If an attacker knows that you use the same user name or your real e-mail address for every website, then half of their work is done!<\/p>\n<p>Always use a unique username.\u00a0 Keep a list of user names and websites in an encrypted file.<\/p>\n<p>Consider using a service such as <a href=\"sneakemail.com\" target=\"_blank\" rel=\"noopener\">SneakEmail<\/a> for disposable e-mail addresses.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"viii-%e2%80%93-thou-shalt-protect-your-finances-2\"><\/span>VIII &#8211; Thou Shalt Protect Your Finances<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Use a unique username + password pair for each website that has access to your money &#8211; banks, credit cards, stock trading, paypal, etc.<\/p>\n<p>Use multifactor authentication, such as PhoneFactor, if your bank offers it.<\/p>\n<p>Also, Thou Shalt use a separate bank account for direct debit, so that a computer error doesn&#8217;t take all of your money and overdraft your bank account.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"ix-%e2%80%93-thou-shalt-not-stay-signed-in-2\"><\/span>IX &#8211; Thou Shalt Not Stay Signed In<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>If you stay signed in, and someone gains access to your browser session, they ARE YOU.<\/p>\n<p>It takes just a few seconds to log in to a website, and most websites have a 2 hour timer (or longer) so that you don&#8217;t have to constantly re-authenticate.<\/p>\n<p>If a website presents you with check box that says &#8220;keep me signed in&#8221;, don&#8217;t use it!<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"x-%e2%80%93-thou-shalt-follow-a-risk-based-approach-for-passwords-2\"><\/span>X &#8211; Thou Shalt Follow a Risk-Based Approach for Passwords<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Your password is more than just a key &#8211; it&#8217;s also a lock that protects something.<\/p>\n<p>If something is important or sensitive, make sure your password is strong enough to protect it.<\/p>\n<p>Whenever you create a new password, ask yourself, what could someone who hates me do, if they gained access to what this password protects?<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Thou shalt protect your data. Passwords are the most versatile and effective way to protect your data, but most people break these simple rules. Using a weak or ineffective password strategy in an always-connected world means that your money, data, and identity are at risk. Thou shalt follow these commandments in order to protect yourself, [&hellip;]<\/p>\n","protected":false},"author":16,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-4216","post","type-post","status-publish","format-standard","hentry","category-tech-support"],"_links":{"self":[{"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/posts\/4216","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/users\/16"}],"replies":[{"embeddable":true,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/comments?post=4216"}],"version-history":[{"count":7,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/posts\/4216\/revisions"}],"predecessor-version":[{"id":4226,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/posts\/4216\/revisions\/4226"}],"wp:attachment":[{"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/media?parent=4216"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/categories?post=4216"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/tags?post=4216"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}