Password pain stops the wrong people from getting in.

Accounts are made up of a single piece of information that identifies you from everyone else in the world, plus a password and potentially some other piece(s) of information that helps confirm your identity. Each platform manages its own accounts (except in the case of platforms that partake in single-sign-on SSO, a topic for another day). Each platform decides what that single piece of information that uniquely identifies you must look like, and often, a valid email address is required for this. This part of your account is commonly referred to as Account, Userid, or Username. In all cases, whatever your account/userid/username is, it must be unique on the platform. Because a valid email address is unique by nature (no two people in the world can have the same email address), email addresses work well for this. Doing double duty, having an email address inherently tied to an account gives platforms a sure way to communicate with everyone on their platform. Still, some platforms have different requirements for the userid portion of an account. Companies often create a userid/username for their employees, and this piece is often not an email address, largely because not everyone in the organization needs a company email (which costs bucks). When setting up access on platforms, it's standard for the platform to send an email to your email account that you must respond to in some way, to confirm the email account actually exists and that it's you - proving you are who you say you are - also known as a validated email address. Here's where password confusion can set in... Pretend my email address is jfrost@gmail.com. On the Gmail platform I set a password, have probably specified my cell phone number and possibly even another email address (important information that can be used to recover my email account or verify my identify). Now I use my email address to create accounts on Netflix, Amazon, Direct Energy, and more. Each of these platforms work independently of each other. The passwords that you set on each platform is not related to passwords on other platforms, even though your account/username/userid is the same - jfrost@gmail.com. The security questions and other sorts of ways you authenticate who you are, are also completely unique to each platform. Now, we're ready to dig into the world of passwords.

Here are 4 bad password practices that cause chaos and theft.

#1 Using the same password all over your world. Imagine having one key that opens your home, business, vehicle, trailer, a compound that you share with others, as well as every other place you go to that has some special way for you to get in. This key could definitely keep things simple. Now imagine leaving that key on a table during Friday lunch rush at a restaurant on Whyte Avenue. With very little detective work and some good guesses, anyone sufficiently motivated could get into where they should not and flip your world upside down. Ease of access is definitely not worth risking everything, yet many do by using the same password all over their cyber world. #2 Passwords kept in plain sight. I've seen passwords printed on paper tucked under keyboards and in top desk drawers... worse yet, taped on monitors and all I can say is, this is the weakest link. #3 Spin rinse passwords - Lakegirl1!, Lakegirl2!, Lakegirl3! Easily readable and predictable passwords take a lot of guesswork out of gaining access... for everyone. Even some IT teams are guilty of using standard go-to passwords in an effort to make employee on-boarding and password resets smooth and simple. What do you think? #4 I wrote it down - it's here somewhere. This is always a painful trip. It leads down the road of restricted access, the need for technical support, missed opportunities and wasted time... never mind the true psychological harm it can cause, including hatred for technology. It certainly invokes thoughts like: if I can't get in the door, do I really want to be there?

Hacked refers to unauthorized access or intrusion into a computer system, network, or other electronic devices. Using various techniques and tools, hackers find and exploit vulnerabilities in the security of a system or device and once in control, access private or sensitive information, alter or delete data, or do other malicious activities.

Now that we've covered some of the (bad) habits we adopt (in an attempt to make our lives easier), let's look closer at the risks we put ourselves, others, entire platforms and information that lives all over the world, when attackers gain control. Here are some unintended consequences of weak passwords: #1 Unauthorized access When your password is hacked and used without authorization, attackers gain access to your account and have potentially unlimited control over it. An attacker can perform malicious activities like stealing personal information, spreading malware, impersonating users, or even carrying out financial fraud. #2 Privilege escalation If your account is compromised, an attacker can use your account to escalate their privileges within the platform. For example, they may gain administrative access, allowing them to manipulate the platform's settings, data and functionality. #3 Credential stuffing attacks Once your password is hacked, attackers try using your stolen credentials on other platforms where you may have used the same password, causing multiple platforms to be breached - a crime spree. #4 Data breaches Hacked passwords can lead to significant data breaches. If a platform stores your passwords in an insecure manner (some actually store your password in plain text instead of using encryption or hashing), the entire database of passwords becomes exposed to attackers, providing them with the potential to access multiple user accounts, and on multiple platforms if users re-use their passwords - an exponential crime spree. #5 Phishing and social engineering With hacked passwords, attackers can send phishing emails or text messages that appear to come from the platform itself. The plan is to trick you into revealing more information about yourself. By using your compromised account, hackers' scams appear credible and their chance of success increases. Essentially, you're compromised account cloaks and gives the criminal safe harbour. Security in the wild While it's crucial that platforms implement strong security measures like using hashing and salting when storing passwords, forcing users to create strong passwords, and implementing multi-factor authentication, you play a key role in creating a safe, private and free cyber world, by not trading security for easy.

You cannot always tell you're hacked, but here are some clues that strongly suggest at least one of your accounts has been compromised: #1 Unexpected or unauthorized account activity

If you notice unrecognized financial transactions, posts, messages or changes in settings, there's a real chance you've been hacked. #2 Password change or reset notifications

If you receive a message or email from your platform about your account requesting a password reset, account change, or new device to be used, and you did not initiate it, there's a good chance you've been hacked. These messages are commonly used by platforms to confirm it's you who's initiated the activity. If it was you, you can delete the message and carry on. If this activity is a surprise, the message usually contains a link that you can click or touch that will start a process to secure your account. Warning, it's wild world out there. Double check the email address that sent you the notification - it must clearly prove that the message or email is from the platform. If in doubt, don't click as the message is quite possibly a phishing attempt. #3 Inability to access your account

If you're suddenly unable to access your account, and you're sure you're using the right credentials (username + password), there's a good chance your account has been hacked and the hacker has changed your password. #4 Unusual email, messages or friend requests sent from your account

If your friends and contacts tell you they're receiving unusual emails from you and you did not send them, you've been hacked. If you receive unusual emails, messages or friend requests from a contact or friend, ask them if they did in fact author the message - they may have been hacked. ... and don't click on links in the message or reply to the message or you're next. #5 Increased spam of phishing emails

Spam is unsolicited (unasked for) and unwanted messages, usually sent in bulk, typically by email. Messages are often commercial in nature, aimed to promote products or services, but can also contain fraudulent or malicious content. Spam is usually sent to a large number of recipients (like your whole contact list), without your consent.In addition to being annoying and inconvenient, the may be a security risk. Phishing is a type of cyber attack where the attacker pretends to be someone trustworthy, like your bank, school, internet services provider and even Microsoft. The goal is to deceive individuals into sharing sensitive information such as passwords, credit card details, or social insurance numbers. This is usually done through deceptive emails, fake websites, or instant messaging. People are manipulated, often through fear, to provide personal information that results in their identity being stolen, so that financial fraud or for unauthorized access to accounts. Air on the side of caution if you receive this type of email. Many institutions have adopted policies to never request personal information by email. If you receive a suspect message and are unsure if it is valid, contact your institution directly, by phone to verify the messages authenticity. Increased spam and phishing messages are a good indication that either your account or a contacts account has been hacked. #6 Profile changes Any unexpected changes to your profile, your picture, bio, display name or linked sites, is a sign that your account has been hacked. #7 Unfamiliar devices or locations Many platforms send you information when you log onto a new device or use their service from a new location. If it's you, you can delete the message. If the notification concerns you, you were probably hacked.

If you suspect that your account has been hacked, take immediate action to secure it. Change your password, enable two-factor authentication if available, review your account settings for changes you did not initiate, and contact customer support either from the platforms website or by telephone for further assistance. If you've received an email or message warning you of suspicious activity on your account, look closely at the email address that has sent you the message. If the message is from a fraudulent source it does not mean your account has been hacked. The message itself is phishing for a victim. Don't let it be you. Do not click on links in the message. Contact service providers directly on their website or by telephone to confirm the message validity. Many institutions have adopted a policy to not request sensitive information by email as a way to curb cyber crime.

No password is entirely foolproof, these practices that are game changers: #1 Lengthen the password Longer passwords are generally harder to crack. Aim for a minimum of 12 characters, but the more, the better. Example: "My$uns4ine123!" #2 Use a mix of character types Incorporate a combination of uppercase and lowercase letters, numbers, and special characters to add complexity. Example: "My$uNs4iNe123!" #3 Avoid personal information Do not use easily guessable information like your name, username, birthdate, or common words. These type of passwords are susceptible to dictionary attacks. Example: Do not use "John1985" A dictionary attack is where an attacker uses a list or "dictionary" of commonly used passwords or known words to systematically guess and try different combinations of usernames and passwords. Usually automated software is used that rapidly inputs combinations, aiming to gain unauthorized access to systems or accounts. Dictionary attacks are commonly used on email accounts or online accounts to exploit weak or easily guessable passwords.

Complex passwords, system lockouts after a certain number of failed login attempts (something a platform needs to implement), and other characteristics of strong passwords help fight dictionary attacks. Enabling multi-factor authentication provides tremendous help in stopping dictionary attacks. #4 Avoid common passwords Avoid using frequently used passwords, like "password," "123456," or "qwerty." Cyber attackers try these combinations first. Example: Avoid "P@ssw0rd123" #5 Use passphrases Consider creating a passphrase by combining multiple unrelated words, making it easier to remember while still providing strong security. Example: "Corr3ctHorseBattery$taple" #6 Don't reuse passwords Each account should have a unique password. If one account gets compromised, using the same password across other platforms will leave you vulnerable. #7 Regularly update passwords Change passwords every 3 to 6 months. Longer kept passwords pose a greater risk of being hacked. #8 Consider using a password manager A reputable password manager will generate and store your passwords securely. You can have complex passwords without the need to remember them all. These tools provide serious pain relief. #9 Enable two-factor authentication (2FA) or multi-factor authentication (MFA) Add a layer of security by enabling two-factor authentication, which requires a second form of verification, like a fingerprint or temporary code. This small step tremendously increases the security of your accounts.

I've explained all the terrible truths that result from weak passwords to build your appreciation and commitment to strong passwords. Change is often difficult, and learning the consequences of our actions can be a powerful motivator. You're welcome (: Still, my long list of things to do to for you to be a force of security, privacy and freedom, is daunting - I admit this. The good news is, because of our shared pain, power tools have been invented to help get this job done. Let's look at them. #1 Two-factor authentication and multi-factor authentication (MFA) Two-factor authentication (2FA) and multi-factor authentication (MFA) are both security measures used to protect your accounts by requiring additional verification steps beyond just a password. Platforms need to offer two-factor or multi-factor authentication for you to use them. The main difference between the two lies in the number of verification factors used. Two-Factor Authentication (2FA) is a security process that requires two separate and distinct verification factors to prove your identity. These verification factors are usually from these three categories:

1. knowledge (something you know, like a password or PIN)

2. possession (something you have, like a smartphone or hardware token - a code generated by a device other than the computer or network being accessed), and

3. inherence (something you are, like biometric data - fingerprints, facial features, iris patterns, voice prints, hand geometry, and more).

The most common example of 2FA is when you enter a password (knowledge) followed by a code sent to your phone (possession). Multi-Factor Authentication (MFA) uses multiple factors to authenticate you. It goes beyond the two factors required in 2FA and can include additional categories, like time-based factors or location-based factors. For example, MFA might require a password (knowledge), a fingerprint scan (inherence), and a time-based one-time password (possession). MFA provides an extra layer of security by combining various factors. Depending on a platform's requirements, enrolling in 2FA and MFA involves setting up security questions, tying a phone number to an account, scanning your fingerprint, and possible downloading a mobile app that can manage authentication to multiple platforms. #2 Password Managers Here's a rundown of password managers you already have on your computer and device. Windows Credential Manager Windows computers have a built-in security feature called the Windows Credential Manager to generate and store passwords. The Credential Manager provides a password generator tool that can create strong and secure passwords for various applications, websites, and services. The feature does not provide an option to automatically generate passwords for all applications or services across the system. The Credential Manager is primarily used to store and manage passwords securely, with the option to generate a new password when needed. The Credential Manager is located in the Control Panel. Like all other apps and settings, the Credential Manager can also be found by searching for it from the search bar located on the task bar. Passwords cannot be automatically synced between your computer and mobile device. Passwords stored in browsers and cross-platform password managers are not stored in the Credential Manager. Browser password managers Browsers provide a built-in password manager that allows users to save their passwords for different websites. Though each browser is a little different and uses different encryption techniques they function like this:

1. User Input: When you enter your username and password on a website, the browser prompts to save the password.

2. Password Encryption: The browser encrypts the password using algorithms like hashing or one-way encryption. This process converts the password into an unreadable format that cannot be easily reversed.

3. Password Storage: Once encrypted, the browser stores the password locally on your device. It usually saves the password in a secure database or file.

4. Password Database: Browsers typically have a password database where the encrypted passwords are stored. The database may use additional security measures like master passwords to protect the stored passwords.

5. Retrieval: When you visit a website, the browser recognizes the website's login page and offers to fill in the saved password from the password database.

6. Autofill Functionality: Browsers may also offer autofill functionality, which automatically fills in the saved username and password for known websites.

Most modern browsers also offer password synchronization across devices, so that you can access saved passwords on multiple devices securely. For passwords to be synced across devices from a specific browser, you must "sign-in" to the browser on all devices that you want synced. Passwords stored in other browsers and in the Credential Manager are not accessible unless you import passwords from other browsers and manually enter passwords from the Credential Manager. Cross-Platform Password Managers Cross-platform password managers work by securely storing and encrypting your passwords on a server or in the cloud. Here's how they typically work:

1. Account Creation: You create an account with the password manager service by registering with your email and setting up a master password. This master password is the only password you need to remember thereafter.

2. Encryption: The password manager encrypts your passwords using strong encryption algorithms such as AES-256 before storing them. This means your passwords are unreadable and protected against unauthorized access.

3. Synchronization: The password manager offers apps or extensions for various platforms like Windows, macOS, iOS, and Android. These apps synchronize your encrypted passwords across all your devices, ensuring you have access to them wherever you need, regardless of the platform.

4. Autofill and Form Filling: Password managers integrate with your web browsers and other applications to provide autofill functionality. When you visit a website or app that requires a password, the password manager will automatically fill in the credentials for you.

5. Two-Factor Authentication (2FA): Password managers often support two-factor authentication, an extra layer of security and are able to authenticate using a secondary authentication method like biometrics, authenticator apps, or hardware tokens to verify your identity.

6. Password Generation: Cross-platform password managers also help generate strong, random passwords for your accounts. This promotes better security practices since you won't have to remember complex passwords.

7. Secure Data Transfer: Password managers use secure protocols like SSL/TLS when transferring your data between devices and servers, ensuring that your passwords remain encrypted during transmission.

8. Backup and Recovery: Most password managers provide options to back up your encrypted password database. This enables you to recover your passwords if you ever lose access to your account or devices.

Overall, cross-platform password managers are the most convenient, versatile, complete and secure way to securely store, manage, and access your passwords across different devices and platforms, without compromising your safety.

If you're going to implement a cross-platform password manager, I recommend the NordPass that comes bundled with NordVPN. NordPass offers:

• two factor authentication

• biometric security

• robust XChaCha20 encryption

• password health checker

• password generator

• data breach scanner

• secure, encrypted sharing with your other devices

• and it's bundled with NordVPN! one of the single most important tools you can use to counter the growing internet surveillance in our Country

Did we slay the password monster? I'd say, Yes! And thanks for sticking through to the end. This topic had a lot of unpacking. Using good habits to create passwords and recognizing hacks, go a long way in protecting everyone's identity. Adding two factor authentication and a password manager to your devices will make you a strong link in the security chain. If you decide to implement the NordPass cross-platform manager (which comes bundled with NordVPN) and need a hand, check out my post that will be coming out shortly Steps to implement a cross-platform password manager - it's a how-to I'll create that includes tips on how to make this task, pain-less. Also, if you haven't already, read 3 reasons a VPN is the next app you should install on your device. A VPN is a solution that creates a secure, private, and uncensored connection between your device and the internet. Learning about and implementing a VPN is a powerful way to combat internet surveillance, a growing concern in our Country and the world. I just want to encourage you... If technology is causing you pain, I promise, knowledge will set you free. Keep learning. Learning how things work and about tools that empower you will promote our collective best possible future - a place where words like privacy, security and freedom describe our nation.

Darcey Lynne Thorn of the Wildrose Need technical support? Contact us. We’re able to help you virtually, where you are. Don't miss a lesson - Subscribe to our newsletter here, and we'll email you every 2 weeks with a list of what's new at The View from Inside.