Password security tips for truckers
The 21st century has been kind to professional truckers with many such great technological advancements, but it also poses new challenges, from mandatory e-logs to the topic of this post: Password security tips for truckers. We’ve all heard that it is important to have a strong password, but why?
Why is password security important?
We care about your security and strive for state-of-the-art encryption systems, but unfortunately, the same is not always true for all the services you use. If a service you use gets hacked, you are at risk of all your services being hijacked.
Consider this scenario: You, like most people, use the same one or two passwords for everything, from Facebook to your online banking. Your favorite web forum, faketruckerforum.com, gets hacked, and because they don’t really care about their users, they don’t let you know. The hacker is just out for a quick buck, and sells all the users’ data, including yours, to a professional group of identity thieves. These people now have your email address, password, DOT Number, MC Number, CB handle, and company details.
While not all the information is useful to an identity thief, they have enough information to access your bank accounts, take out loans in your name, and access illegal online services with your identity.
The consequences for you may be catastrophic. If you are lucky, a few calls to your bank and/or your local government offices will get you back on track. If you’re not lucky, you could be accused of crimes, or be stuck in a recurrent loop of identity theft. While the example above is quite extreme, it can, and has, happened.
What is a strong password?
Unfortunately, digital security is an arms-race between service providers and hackers. This means that advice that holds now may not in five or ten years. But here are the most current tips:
- Never use common passwords. Here is a list of the worst 500 passwords of all time. Yes, avoid all of them. It might take us a long time to type all those passwords, but a computer does it in a split second.
- Use a mixture of upper and lower-case letters, numbers, and symbols, when you can.
- Avoid personal information. Like names and dates. These can be deduced if you specifically are being targeted.
- Aim for 12+ characters. In this case, bigger is better.
- Just replacing ‘I’s with ‘1’s is not enough. Or any other such replacements. Hackers know you do it. This is the second thing they’ll try (right after the list above).
- Use randomly generated passwords. This maximizes complexity and more complexity is better.
Other security tips
- Never re-use a password. This way if any of your accounts are compromised, even an important one like your bank or the CRA or IRS, the damage is limited to that account, and fraudsters cannot build a profile of you.
- Use a password manager. Ok, so you shouldn’t re-use passwords, but it is also unreasonable to memorize potentially dozens or hundreds of passwords. This is where, often free, password managers like LastPass or dashlane come in. They encrypt all your credentials behind state-of-the-art security. If you are using such a service, remember to read up on how to best use them.
- Make sure your password isn’t stored as plaintext. This means that somewhere in the service’s database, there is a line with your password, character for character. A common indicator this is the case is if the company emails you the password after sign-up or when you hit the ‘Forgotten Password’ button. Find more info and sites known to store in plaintext.
Some technical explanations
This is what a good security implementation looks like:
On signup or password changes:
- You submit your password
- The password is sent to the server over an HTTPS connection
- The server appends a random string of characters to the password. This is called Salting.
- The server encrypts the password using a cryptographically secure algorithm.
- The server stores your username, salt string, and the outcome of the encryption.
- Same as 1 and 2 above.
- The server gets your salt string from the database.
- The server encrypts the password-salt string.
- The server compares the outcome to what is stored in the database. If it matches, it means to must have entered the same password, and you can continue, otherwise, it returns an error and you need to re-enter your password.
Blog content contributor
Bjorn Huntemann, Developer @ 123Loadboard