Sometimes, people on AR email me and ask me for simple help. I don't mind helping people out, and if I can take a look at their Google+ page or maybe adjust something on their ActiveRain account, I usually do it.
People send me their passwords, which is fine, but I just ask that they change it as soon as I am done.
But folks, many of the passwords I get-- no, most of the passwords I get-- are pretty bad. This is no lie, and I'm not going to embarass anyone of course, but one very prominent ActiveRain blogger that I've known for years sent me his password and guess what it was?
Yep. His password was "PASSWORD"-- and this was for his main site. I asked him if he made that for me, and he'd change it back, but he said "nope, that's my password."
Sure, he put it in all caps, which is a little tricky, but not quite tricky enough, if I may say so.
If you're laughing at this particular gentleman, you might want to stop laughing, because you might be next!
I hear people tell me all the time: "My email was hacked" or "My Facebook was hacked" or whatever. I don't want to hurt anyone's feelings, but we aren't big enough targets to be "hacked" by anybody using real hacking tools. There are ways to hack a password using what's called a brute force attack, but it's highly unlikely that anyone reading this article is important enough to warrant that kind of attack- so I'm going to explain how you, or your friends, or anyone who has ever told you that they've been "hacked" has been hacked.
1. This is huge; if you follow this one, you will probably never be hacked: Don't use the same password on more than one site or for that matter, one "thing", ever.
Let's say I set up a website and I offer something free. And it's a really nice website too- a total first class job. I offer you free downloads and all kinds of fantastic stuff if you sign up for a free membership. Just like ActiveRain for example. Or Vimeo-- pick a site.
And you give me, or my coworker, or maybe my staff-of-a-thousand the same password that you use for your bank. Or something so similar, someone could figure it out. You use Vanilla8346 for AR, but vanilla8346 for your bank. Oooh, tricky!
Never, ever use the same password from site to site. Not ever. If you follow this rule, you probably won't ever be hacked. But let's continue on the less likely.
2. Just about 20 minutes ago, somebody here on ActiveRain asked me to login to their Google plus profile to take a look around. This particular Realtor had taken the extra (and very smart) precaution of giving Google her telephone number for "2 step verification". You can read about that here.
Google asked me, "Is that really you RealtorName? Please verify your telephone number."
I was trying to work fast, and I didn't want to wait for the Realtor to email me back, so I went to their public ActiveRain profile, saw her cell phone number, gave it to Google, and I was in. Easy peasy lemon squeezy. So much for 2-step verification. It doesn't work if you give Google a cell phone number that everyone has.
3. This is the least dangerous, but it's still dangerous: You do use different passwords, but you make them all "easy to remember."
If someone was paying me to hack into your account, which of course, I would never do...this is how it's done. This is a ridiculous scenario for someone who is not a politician or a public figure, but it could be used on a Realtor or a mortgage broker too, I suppose.
The first thing I'd want to do is find out as much about you as I can.
I'm going to go to Facebook and get your birthdate. You don't display the year? Keep it, there are only a small amount of years that you could be born in-- I'll just try them all. I'll also go to LinkedIn and see where you graduated; I need all and any information I can get.
I'm going to get your kid's names, and your spouse's name. I'm going to get their birthdays too. I'm going to take note of your favorite bands, hobbies and anything else that you make public. I might have a wealth of information (because maybe you are an open book on the internet), or I might just get a little information.
I take that information and feed it into a "brute force" type password hacking tool and then I go to sleep. The program will start with those keywords. If you use your husbands birthday and some random word-- like peanuts040971-- and there is no connection to peanuts in your life-- that's good, but it's still an English word and the program will eventually guess it, long before it moves on to straight random characters.
A brute force hacking attempt always guesses real words first.
I recommend a password storage system and random characters. All of my passwords, including ActiveRain, look something like this: aHs34-!-5F&#t5g
I just mash my hands into the keys and then store the password on my computer, which is backed up locally. I couldn't tell you what my ActiveRain password is if you threatened me with torture. I just copy and paste when I login. Sure, I'm over-cautious, but I don't want to be hacked.
I can't vouch for it, but I heard RoboForm for the PC is good. But again, I've never used it.
On my Mac, I use DataVault Password Manager, located in the app store.
But I've probably already told you way too much...