I'm not going to lie, this is one of the most useful guest posts we've ever had. Stolen passwords haunt our lives on the daily. Thankfully, Ray Daniel gives us some tips on how to protect ourselves from those pesky hackers, in correlation with his latest release, Hacked. The fourth book in the Tucker Mysteries, which is available now!
Hackers love passwords. They love to use them, sell them, and trade them with their friends. Once they have passwords they can steal identities, publish secrets, and create a wide variety of mischief and mayhem. So, how do they get them? Most importantly, how could they get yours.
It's perhaps comforting to know that they don't get your password because they know your birthday, your dog's name, or the names of your loved ones. While not using any of that personal information to create a password is good advice, we don't live in a creepy world where hackers are omniscient.
Hackers have two primary ways of getting your password: they can guess it, or they can trick you into giving it to them. Let's look at both of those approaches and then see what we can do to protect ourselves.
When it comes to guessing passwords, one imagines the hacker going to Amazon.com and trying passwords until one hits. This, of course, does not work. Amazon.com and other sites place limits on the number of guesses.
Instead hackers need to steal databases full of email addresses and their associated encrypted password. Encryption takes your password and turns it into an unintelligible string of letters. For example, the password 'password' becomes the following:
There's no way to figure out the word 'password' from that. The very similar password 'Password' looks like this:
As you can see there's no discernable pattern between them even though they are similar passwords. However, if I told you that my password was password but I didn't tell you whether the P was capitalized, you could figure out which password was mine by guessing. You'd encrypt password and then encrypt Password and check to see which one matched the encrypted string. That's exactly how hackers guess your password except on a huge scale.
Hackers regularly break into insecure servers and steal databases of email addresses and encrypted passwords. When you heard that hackers broke into Yahoo and stole information for one billion (billion with a B!) accounts these username-password pairs were some of the information stolen.
Once they have the encrypted passwords, hackers use bastardized graphics engines to create hacking machines that can guess a billion passwords in a second. They take your password and compare it to lists of previously guessed passwords, then they compare it to words in a dictionary, then they replace the 'e' with '3' and add numbers and letters to the end, they use advanced prediction mechanisms to create guesses from a first letter such as 's'.
Using techniques such as these hackers can guess between 60 and 80% of passwords in a typical stolen database. If you'd like to know whether your password information is in the hands of hackers, follow this link to this New York Times article:
Or to be more precise type your email address into http://haveibeenpwned.com.
Both sites will tell you whether your information may be out there. (But, come on, we almost all have a Yahoo account.)
The other way hackers get your password is by asking for it with a phishing attack. In this approach hackers send you an email that looks to be from a coworker or, even better, a boss or the IRS. The message says something like, "You had better read this right now or you're screwed!" The goal is to get you to panic, click on a link, and log in to see the information. Once you do that, the hackers have your password. This is how John Podesta of the Hillary Clinton campaign lost his password to Russian hackers. To be fair to Podesta, he shared the email with his IT department who told him it was legitimate when the person had meant to type illegitimate. (One cannot make this up.)
If you think you're immune to being phished I suggest listening to the Reply All podcast from Gimlet Media named What Kind of Idiot Gets Phished?. https://gimletmedia.com/episode/97-what-kind-of-idiot-gets-phished/
There are three things you can do to minimize password-related damage:
1. Use a different password on every site. I'd worry if I had used my Yahoo password to protect my bank account.
2. Use a password manager to generate unguessable random strings to all sites and save them. That way you only need to remember one password. (Here is a comparison of password managers: http://www.pcmag.com/article2/0,2817,2407168,00.asp)
3. Set up two-factor authentication on all sites that allow it. John Podesta would have survived losing his password if he had turned this on. Two-factor authentication requires the hackers to have both your password and your cell phone to get into your account. They probably don't have your cell phone. (Two-factor authentication saves Tucker in Hacked.)
The modern world of hacking and password can seem like a scary place, but it's not difficult to stay safe. If you use a password manager to generate different random passwords for all your sites and turn on two-factor authentication you won't wind up like John Podesta.
Aloysius Tucker vows vengeance when a hacker terrorizes his ten-year-old cousin online. But the situation goes sideways fast, threatening to take Tucker off-line for good. #TuckerGate
Promising his cousin that he’ll get an apology from an Internet bully, Tucker finds himself in a flame war that goes nuclear after a hacker is murdered. Now more hackers, the whole Twitterverse, and a relentless bounty hunter agree on one thing—Tucker is the killer and he must be stopped.
With death threats filling his inbox, Tucker battles Anonymous, Chinese spies, and his own self-destructive rage while chasing a murderer the online community has named the HackMaster. Can Tucker clear his name and build a case against the killer before the death threats come true?
Ray Daniel (Framingham, MA) writes first-person, wisecracking, Boston-based crime fiction. His story Driving Miss Rachel (published in Blood Moon by Level Best Books) was chosen as a 2013 distinguished short story by Otto Penzler, editor of The Best American Mystery Stories 2013. Daniel's work has been published in the Level Best Books anthologies Thin Ice, Blood Moon, and Stone Cold. Terminated is Ray Daniel's first novel. For more information, visit him online at raydanielmystery.com/.