Password Policy Best Practices | 4 Ways Being Hacked Educated Me

Here at HackerAttacker, we talk a lot about how to protect yourself from hackers of all shapes and sizes (or colors, as it were).  What we rarely talk about is what it is liked to actually be hacked.  There are countless examples of various individuals being hacked (and we’ve talked a lot about some big company hacks as well), so you know it isn’t some rare occurrence.  Today, I’m going to talk about some password policy best practices I learned from being hacked myself, and how the experience changed the way in which I approach my online security.

Now, I didn’t get hacked at work, and an outsider did not breach my business e-mail or digital profile.  The breach in my personal life took place by way of my personal Gmail account to breach an online gaming account.  I followed all recommended steps following an e-mail breach, and nothing significant was lost.  However, the breach illustrates a significant point of discussion for the influence a successful hack can have on your life, be it personal or business.  Do take care and learn from my mistakes.  Below are 5 ways that being hacked changed me, a discussion of some password policy best practices, and some suggestions for how you could be affected if your digital identity is breached. 

4 Ways Being Hacked Changed Me – Password Policy Best Practices

If one account gets hacked, you immediately think of all other accounts that are linked to it

One of the first things that came to mind when I was hacked was where else I used that particular password.  I had to go back through all of my digital personas: other email accounts, social media, purchasing websites, everywhere I may have used the password, or a variation of which, that was cracked.  The whole experience didn’t take very long, and changing and updating passwords is a simple matter, but it just made me realize how important it is to NOT use the same password in multiple locations. Seriously.  DON’T DO THAT. If the hacker who breached my account had dug deeper into my Gmail, aside from using it to access an online game and clean out massive hours of devotion, he/she could have wreaked havoc on my digital life. 

Most of us take it for granted when we see various password best practices guides online that tell us not to repeat passwords in multiple locations.  This is even worse if we believe our password to be a strong one.  After all, like the old adage says: if it ain’t broke, don’t fix it.  Well, let me tell you, knowing one password to breach an account makes it so much easier for a hacker to get into other accounts, just by reusing that tried and true combination.  Don’t make their job any easier than it needs to be – change your passwords often, and keep them different for different services.

You are always on the lookout for weak passwords.

Speaking of passwords and password strength, another thing that being hacked changed for me was my paranoia around weak passwords.  Every new service that I create an account on or join asks me for a password. I now devote far more time than the typical user in creating any password.  It only takes one small data breach in your personal life for you to realize just how weak some passwords really are. 

It’s kind of funny in a way, because now that I’ve been hacked and survived, I’m always preaching to my friends whenever I can successfully guess their passwords (people still don’t have a great grasp on what actually makes a ‘strong’ password).  It’s all in good fun, but it is also an eye opener for them.  Sure, I know them better than any digital stranger may, but access to social media and various digital services that show any information about you is enough for many hackers to gain a rough picture to start digging with.  I thought my initial Gmail password was strong because it had literally nothing to do with me, yet some stranger broke it without even knowing who I was (I later looked into the issue, and found that the IP address was located in China.  It may have been routed through there, but given the nature of the breach, it seems likely that this was around the right area). 

You realize how insecure passwords really are.

Another shocker that comes with the fallout of being hacked is the realization that passwords are, for all intents and purposes, extremely weak! It’s a world-shattering realization when everything comes crashing down around your ears because someone figured out one simple combination of words and letters.  As soon as I started updating and changing my old passwords, I realized that no matter how strong and apparently random they were, there was always a chance that someone, or something (automatic brute force attack tools for example), might be able to break right through.  Now, I’m not hiding nuclear launch codes or plans for world domination (aside from a couple what-if storylines, but who doesn’t have those?), but imagine if I were?  Even enabling a two-factor solution seems like a stopgap to me when I look at authentication in its various forms.

One thing that being hacked truly taught me was the need to step away from the password and find something entirely more secure. For starters, a lot of programs have additional security measures that you can enable, but that’s really just another bump in the hacker road.  Microsoft has been stepping towards facial recognition and other simpler forms of biometrics to enable stronger authentication, but true security is still a ways away.  In the meantime, passwords are here to stay, and following certain password policy best practices is a great start until security catches up with our individual needs.

Reusing passwords becomes almost painful.

After going through the process of checking, changing and otherwise strengthening my various preexisting passwords, the idea of reusing any of them has become repulsive to me.  Every single time that I am asked to create a password, I still instinctively begin typing in a variation of my favorite password before I realize how terrible an idea that really is.  Looking at it from the lens of a victim, I chastise myself at every account creation and synthesize something unique every time.  It’s definitely not easy, but it is necessary.  I don’t want the next attacker to be the one who realizes accessing multiple accounts could lead to some financial gain. I’d rather struggle every once in a while to remember a password than have the next breach of my data take place via my workplace accounts. 

There are plenty of solutions out there, for both individuals and corporations.  The decision really boils down to whether or not you want to put your trust in a freeware solution, hosted locally on your machine, or with a technical company who has experience with authentication solutions for businesses of all sizes.  Password management is a simple process to make having a strong online presence as painless and convenient as can be, and it should definitely be considered when keeping track of multiple passwords to minimize password resets and data breaches in one fell swoop.

BONUS! You back up files in multiple locations, including off the web

As far as best practices go, along with the fallout of being a victim of a hack, here’s a bonus for all of you intrepid readers out there: back up everything important to you in multiple locations – especially off the web.  One of the things that hit me hard when I was hacked was just how much I stood to lose. I don’t just mean financially, but intellectually as well.  I am a writer, so I have various stories, poems, and other works that I constantly edit and work on all over the place.  One of the locations in which I store some of these items is Google Drive.  When my Gmail was hacked, however, I realized that they could easily have logged into my Google Drive account and deleted all of my files there! As a result, I now backup my important documents locally, on multiple devices so as to minimize the risk associate with any breaches that may happen in the future.  Ideally, this would not happen again, but with the evolution of the digital age, it is only natural to assume the digital attacker will evolve as well.

If you have anything important that you save over the web and could not stand to lose, invest in a local, external hard drive that has no network access for your backups.  It may seem like another hassle, but its easy for a hacker to break through a network, and it is much harder for one to get at an external drive unless they are physically accessing it.  When it comes to securing what is important to you, is there really anything you wouldn’t do?

So there you have it: what being hacked taught me about password policy best practices, and what you can do today to keep yourself from being added to the lists of victims.  Consider adopting some of these password policy best practices in your personal and business life to minimize any risk of digital threats that could bankrupt you, or cause your business some undue harm.  As always, stay strong and be prepared.  We are the HackerAttacker nation.