Imagine that you own a castle. As a proud owner of such an impressive, shiny fortress, you’ve likely got defenses – a sturdy wall and a heavy gate to protect your valuables. When an advancing army approaches, however, you don’t necessarily want them to test that security. You wouldn’t even lower the drawbridge!
Your passwords function the same way and are your first line of defense to keep bad guys from ever even getting a foothold near your digital hoard.
Welcome to the 6th installment of The Guardian Papers, where we walk you through how you can protect yourself from the digital miscreants who seek to steal, cheat, and otherwise destabilize our beloved community.
As the blockchain revolution continues to provide opportunities for people all over the world, those who lurk in the shadows are always eager to prey on the unaware. It is our goal with this series to educate and empower our community to resist and repel the monsters who hide out there in the digital darkness, so that we all can be safe, secure and more prosperous as we build a better future together.
Miss an issue of The Guardian Papers? Catch up below!
In the next few articles, we’ll be talking about security fundamentals that apply to all aspects of digital defense. We’ll rotate back to the Gala community specifically soon, but for now these are fundamentals that everyone should learn, and that are often highly exploited in the blockchain world.
What Makes a Password Secure?
Nearly everybody has countless passwords across their digital profile, so you’d think that creating secure passwords is a skill that everybody just picks up early on in life. Unfortunately, despite most people knowing better, many people are still using incredibly unsafe practices with their passwords that can leave your digital assets vulnerable to the bandits of the blockchain frontier.
Increases in technology bring many extra tools to help keep your assets secure, but also give your enemies more sophisticated weaponry to use against you, which makes it more critical than ever to use strong and secure passwords throughout your entire online ecosystem.
Length and Variety
Different platforms have differing minimum criteria for the length and character variety of passwords, and it’s never a bad idea to go overboard. With current computing power, a cybervillain could potentially attempt billions of passwords per second. While this may be limited somewhat by network security features on some platforms, longer and more varied passwords mean more combinations will be required to guess yours.
If you were using a 7-digit password that consisted only of numbers, that password would have 10 million possible combinations (0000000-9999999). Take that same 7-digit password and include capital and lowercase letters as well– now you have 62 possible characters per digit. This would increase the possible combinations of correct answers to a little over 3.5 trillion, still with only 7 characters in the password.
Uniqueness
Not only do you want your passwords to be unique for each of your accounts, but ideally you want them to not be a combination of characters that no one else would have ever thought of in their wildest dreams. Including dictionary words or common mnemonics like a year could leave you vulnerable to hackers looking for low hanging fruit.
Your password shouldn’t be something familiar or easy to remember– the entire point is to make it something that only you know.
This may seem like common sense to many digital veterans, but repeatedly data breaches have shown that things like “password”, “123456” and “qwerty” are the most commonly used passwords throughout the world. Using any common phrases in your passwords makes you the nice, soft target that the enemies of digital sovereignty are after.
Fun Fact: According to a study last year by NordPass, here are the top 10 passwords used worldwide:
1. 1234562. admin
3. 12345678
4. 123456789
5. 1234
6. 12345
7. password
8. 123
9. Aa123456
10. 1234567890
Don’t be like these people. Make your passwords secure.
Anonymity
If someone is going to try to penetrate your personal passwords, the best place to start is often for them to know their enemy– you! If personal information that they can glean from public records or social media gives them insight into what your passwords may be, they may be able to breach all of your security before you even see them coming.
Using your birth year, your pets’ names, your children’s names or anything simple to guess with just a little information about you is incredibly unwise. Especially if you use similar mnemonics on all your passwords, one glance at your Instagram profile may have given a hacker all they need to clean out your digital hoards.
Common Password Vulnerabilities
Constructing strong and secure passwords certainly helps keep your defenses high. Secure passwords can still have vulnerabilities, however, and it’s extremely important to know all the angles that your password security could potentially be attacked from.
The Human Element
While many insecure passwords are often “brute forced” by miscreants with a program that can guess combination after combination, some are obtained through phishing attempts as we’ve discussed in our previous Guardian Papers profiling the common scams in the blockchain world. This is never to be taken lightly, as criminals will continue to develop new ways to trick your information out of you.
Your passwords are yours, and should never be shared. Even here at Gala, we’ll never ask for your password or keys– anyone who does is up to no good.
Even if you have excellent security and top-notch passwords, one error in judgment can still be exploited to ransack your digital fortress. There is no reason to share personal data or password information with anyone over email, Discord or any social media.
The scammers multiply because their methods get results. This is why it’s absolutely critical that the community here at Gala and throughout the entire blockchain frontier helps educate and empower their fellow digital pioneers. Once every member of the blockchain world is familiar with and prepared to fight off these attacks, these monster’s food source will dry up.
Data Breaches
As massive data breaches have repeatedly shown in recent years, even secure information can be compromised and leaked when the defenses of organizations that you trust are compromised. If your passwords are stored with an organization who has been breached, you need to consider that password or any variation on it compromised forever. After a breach, that information is compiled in lists and distributed all over the dark side of the digital world, and information is forever.
In 2020, white hat hacking group FireEye identified a worldwide breach in the SolarWinds software. SolarWinds was a network management company with a global presence, and over 18,000 compromised clients were identified in the breach. FireEye noticed the breach quite by coincidence, but the systems had been compromised for more than a year.
This breach was later determined to be coordinated by the Russian Foreign Intelligence Service, and by leveraging the breached systems within SolarWinds for many months, they were likely able to access a significant portion of protected information across the entire global internet.
Read more about the breach from the US Government Accountability Office.
To limit your vulnerability to data breaches that are beyond your control, never use the same password on more than one account. If one of your accounts is compromised, the last thing you want is for that to just open the door to all your defenses. Changing your password frequently will help you stay ahead of any breaches that may happen.
Most importantly, don’t trust your password information to entities when you don’t have to. Always think critically about whether you really want to share sensitive information with organizations before you have a chance to regret it. Rather than having a device remember your sensitive passwords, store them offline whenever possible– an old fashioned paper and pencil is about as unhackable as you can get.
Password Managers and Single Sign On
Password managers and single sign on (SSO) can be a great way for people to securely protect their individual credentials without getting lost in the tangle of hundreds of secure and confusing passwords.
These tools crucially only work, however, if you use them securely. If you aren’t going to follow good security practices without a password manager, then putting all your credentials into one could just be shoving your eggs all in one basket for a scammer.
If you choose to use a password manager, make sure that you follow all recommended precautions and protect your credentials to that password manager. Make sure you are choosing a reputable and well-known password manager to use… the last thing you want is to try some brand new password manager, only to find that you’ve been had by a phishing attempt that now has all your passwords!
Hold the Line
Most of the time that digital defenses are infiltrated, it’s through the front door– a password. How secure can you expect your personal estate on the blockchain to be with a wimpy lock on the front gate? Even with the extra layers of security we’ve discussed throughout this series such as private keys, and the precautions we’ll discuss moving forward (looking at you 2-factor authentication!), if your passwords are penetrated the enemy is already inside your defenses.
The best way to make sure you stay entirely secure is to keep that gate locked tight.
Maintaining secure passwords and protecting them from the grips of the enemy prevents any part of your digital profile from being compromised. Even one account being breached represents a chink in your armor that could then give way to other vulnerabilities. Keep your defenses battle ready at all times and don’t let anything past your guard.
The Advance Guard
As we continue to advance through The Guardian Papers, it’s our hope here at Gala Games that we’re contributing a collection of resources for the community to reference and share, so that we can all power-up our defenses against those who would do us harm.
For our next installment, we’ll stick to fundamental security and discuss 2-factor authentication and multi-factor authentication. As this series progresses beyond this module, we’ll rotate to an increasing focus on issues that are incredibly relevant to not only the community here at Gala Games, but the entire cryptoculture as well.
It is our sincerest hope that this series not only empowers you to defend your sovereignty on the blockchain, but also inspires you to empower others throughout our beloved community.
Stay safe guardians!