A Guideline On Password Generation Methodology
How to make great passwords while simultaneously averting comprising on all of your online platforms through compartmentalization
I’ve always gravitated towards hacking since I got my hands on computers in the late 90s. Later on during the post 9/11 era, when email became a much more universal tool for common people, I realized the value of pseudonymity. Even in those days I never divulged accurate information of myself, I typically gave false names, false dates, etc. When the social media sphere began to mature post 2008-10, I began to realize that all your data was going to bite you and thus the value of pseudonymity simply reinforced itself to me. Even from that time, I understood the importance of anonymity, privacy, the fine art of exploitation, and most of all, the value of misinformation (pseudonymity). When you divulge personal identifying data of yourself, even if compartmentalized based on app function (phone number for bank apps, address for social apps, work data for apps like linkedin, etc etc), you are technically providing an overall profile of yourself that hackers can acquire easily. Let us define what "hacker”, means because most folk think quite incredulously. They think a hacker is some kind of punk 13 yr old kid who might be doing what they’re doing for money. Hacker can encompass all forms of individuals, groups, agencies, governments, etc, who wish to exploit data for a multitude of purposes, not just monetary gain. Too even be more clear, a hacker in this case is more accurately called an "attacker". This is because most hackers are NOT attackers. To create an adage, I would say "all attackers are hackers but not all hackers are attackers".
A basic online rule that should be known is that anything uploaded online has the potential to become the property of others. Anything uploaded becomes “not yours” defacto. Even if the platform has a basic password encryption. Meaning, you should expect that this data can be leaked by any means. The platform could betray you by various means, a government can simply ask or force them to give you up, and you're toast. Thus, I am an advocate of fortifying your opsec (operational security). Now I have a plethora of steps and methods to employ, I'll cite them after this second rule.
A secondary basic rule is if you do upload data of yourself, of any kind, make sure it is MISINFORMATION i.e. inaccurate. What is the purpose of misinformation? This is the art of pseudonymity. The goal for most people who are average people is not really to be completely and absolutely 100% anonymous which means that you would be completely undetectable. Most people cannot execute such a technical project, only a few can, simply because they do not have the skills to execute this anyways. However, the average Joe CAN effectively fulfill the attribute of pseudonymity, which means to obfuscate and to confuse and minimize the threat against thyself from a would be attacker in such a way that if something is compromised, it has little affect to you personally. You want to ensure that if one platform gets hacked, an example would be like your bestbuy account, the data collected by the attacker (like government agency, hacker groups, or individual), is utterly neutralized within that particular platform and provides little benefit to them, and does NOT DIVULGE data that could or is linked to another platform which helps BUILD your profile and gives access to the attacker which would thus compromise other platforms like your banking, schooling, or other sensitive related data like legal credentials. So for example, the password used to access your bestbuy account should be different from your banking password. Once an attacker can make easily connectable connections, you become a prime target. This is because you lower yourself as low lying fruit for attackers to pick. By strengthening your opsec (operational security), you effectively make yourself that much harder for an attacker to acquire data about you that could be used to exploit your sensitive data.
Now, without further ado
Password Methodologies
- NON-Universalized passwords. Most folk fall victim to two aspects of passwords. A. They create extremely easy passwords. Like for example "Password1". B. They deploy those same passwords across most of their platforms that they connect to. As for easy passwords, most of these passwords are already embedded inside of cracking tools that we have in our hacking machines. Just a hacker stealing passwords is a mountain of valuable data that he then sells on the darkweb and other hackers on the dark web can buy off this data leak for a certain price and then use it for building scripts focused on specialized targets. Thats technically how most hacks are exploited regarding account information. The actual hacker may himself not execute and exploit the data he hacks. It may be weeks or even months before a new set of hackers who may have bought the original hack, will exploit that data and use it. Lets add some real life imagery to this. A hacker or a hacking group could hack all the passwords of millions of people's passwords to something like the Zoom platform. That can be done because Zoom, like most entities are a centralized body, making them an easy target. Let's hypothetically say that they acquired the passwords of 2 million users. Even if all 2 million users changed their password, that data is still valuable. Why? because hackers know that most people will NOT change that same password they used for zoom that might be used on other more sensitive platforms like their bank or credit account details. There is further additional benefit for hackers. The data retrieved creates a psychology of how passwords of such users were made. In other words they can determine that 60% of users used sports teams as part of their passwords and create scripts and deploy them in their cracking tools.
It is always a breach of your own security to use the same password used to log in your bank account to be used for your email, and the same password to log into your social app.
Use a password manager, preferably an open-source manager like for example keepassxc. The point is, you want to immensely make hacking yourself so difficult to the would-be-attacker that the time and energy used to try to hack you becomes a DISINCENTIVE for the attacker and he moves on to the next target. Most of all, misinformation is your greatest ally. You ALWAYS DIVULGE FALSE data of yourself. Each platform should have no personally identifying data of yourself. And IF YOU do choose or are forced to put data, use false data. Each platform should have a different name and different birthdates and places you are located in. You want to mislead google as much as possible if you dont have the testicular fortitude to de-google yourself from google, or de-Appling yourself from Apple, de-Amazoning yourself from Amazon. Im a big fan of implementing various alter ego's. If you must have an exact personal account on facebook for example, that links that account to you personally that may be required by your job, simply avoid linking with friends not related to work, and don't post or like things except what is friendly with that environment and atmosphere. Don't post political, ideological, religious, narratives on that account. It is better for you to simply create an alter ego account, unconnected from you, and post your more sensitive content there, and. on a completely different device, with a different ip address. Yeah, I know, most people read these steps and melt away at the sheer complexity of it all like "why go through all that?". It is ultimately how you value yourself and your own security that really determines one's fortitude in this regard. Most people have little to none, and many of them only develop after a near life-threatening security risk occurs, that they then realize the importance of creating your own threat model. Unfortunately, they realize it after the fact of having already been harmed in some way.
Complexity and length: Adding complexity by adding additional character elements including numbers. Adding letters helps, but one should not limit themselves to just letters. Use numbers, and add other symbols like !@#$%^&*(<>?.
Avoid using personalized favorites. For example, using your favorite sports teams, colors, etc, as experienced hackers can simply perform social engineering techniques or open source intelligence gathering from your social media to simply gather your likes and favs and use those specific likes in their scripts and embed them in their cracking tools
Avoid formal words found in dictionaries. In this case, misspelling is a plus. Even inexperienced hackers like script kiddies can simply employ scripts or tools that use what is known as a dictionary attack to crack the password. To offset t his attack, simply invent your own word that no one on earth has heard of. Or if you use a formally recognized word, purposefully misspell it and substitute other unicode characters to substitute certain letters. Added to this, dont use one word, compound it with other words or numbers. By simply performing these steps, you have nullified the dictionary attack vector.
Dont use personally attached people like names of children, friends, work related stuff etc. Open source intelligence is used to gather others linked to you. It is known that parents use the names of their own children. STOP this. Or, if you do, add other characters to it that will add entropy to it thereby making such cracking tools much more harder even if they did guess or find the name of your children.
Use a password manager like keepassxc where the program can generate passwords to your liking and can inform you of how much entropy a password has. The higher the entropy, the longer a cracker must take. A minimum of at least 60 points of entropy is suitable and I personally prefer at least 90 points of entropy as it will take the combined might of the computing power of something like the NSA several hundred, if not, thousands of years for their cracking tools to crack it. Even if it takes centuries, the point is you want to make yourself an "unworthy" target by the attacker such that they will loose the motivation and move to more low hanging fruit. If you need a platform in which you need to share a password with other parties, then use bitwarden. Or create another database within keepass and share the .kdbx file by sending it to them or use a trusted cloud provider like nextcloud if you absolutely need a cloud based continually updated backup.
Decentralizing device usage; For those wishing to add further strength to their opsec, Im a huge fan of compartmentalizing your devices for performing certain functions. It may be best to have a sole device dedicated simply to your actual self identify and assume it is comprised. Such a device deals with only banking and your most private data. DO NOT connect no social media to it except for maybe your real identity in which you dont post anything except for politically correct or socially correct data, if any at all. I would even add to NOT leave this device constant online access. keep it offline and only go online when and if you need it. there are many attack vectors groups can use like cross-device tracking, device fingerprinting, etc, that can be used to your detriment. The best thing is also to not post or like anything at all. keep profiles as a blank profile, even leaving the photo blank. And for the limited amount of apps you have on that assumed-to-be compromised device like your google android or apple iPhone, ensure you follow the above basic methods. on this compromised device, don't connect your real identity to your alter-ego profiles on them. use other devices for those alter ego identities. Compartmentalizing your device usage is the hardware version of digitally using different passwords for each platform. In the event one device inadvertently does get compromised, your entire online world most likely wont, but only a portion, which is better than having most or all of your online identify completely compromised.
The above can be considered as simply best practices for safety and basic security that do not require advanced understanding. Virtually anyone can implement these practices immediately. Just to reiterate a point I made earlier, this is NOT a call for anonymity as most people usually question with the typical naive cliche responses. The point of this is not about anonymity but more-so about pseudonymity and taking simple security measures into your own hands and preventing a massive amount of governmental actors out of the picture. granted, if you have 10 three letter agencies looking for you as a direct and live target, these steps wont be enough, additional steps would be required, but most people dont actually need to take those steps. Most people are not Snowden or have Snowden like data that would make them direct targets of the state. Most people simply fall within the generality of the massive data harvesting nest that governments want to have on file so that if they want a target, they have all the means at their disposal. These steps above are to confuse your enemy and to create a situation that in the event you are harmed, there is less harm being endured rather than much greater harm.