jrswab

No-fluff tutorials and privacy-focused tools for the modern productivity-minded developer.


How To Stop Account Hijacking

Categories: [Technology]
Tags: [security], [learn]

With our lives becoming more internet dependent the risk of getting our information stolen increases. This then increases the demand for security, different passwords, and knowledge on how to create a great password. The two approaches that give us the most bang for our buck is to use a password manager and use dice to generate the master password. These two steps will increase your security by allowing for every site to have its own password, alert you to phishing, and make it almost impossible to get your password stolen.

What Is Phishing?

Phishing is when a malicious person sets up a site to look exactly like the one you use every day. Facebook is probably one of the most phished sites out there due to the enormous user base. These fake sites will use a name that is very close to the original to look like the correct URL at a glance.

Common ways are to use a lower case "L" in place of a capital "I" in the English language, and there are many more for all languages. You may hear that all you need to do is make sure the green lock on your browser is there and you'll be on the correct site.

This is only partly true since anyone can get an SSL certificate without much hassle but is an excellent first step. Never rely on the green lock as a foolproof way to know you are on the correct site but instead use it as one of many signals that you are where you wish to be.

Using Browser Extensions To Increase Security

So we have another barrier protect us I want to give a few words of caution. Since apps like Bitwarden are online, there is always a chance that they get compromised and your information leaks into the ether.

Always practice safe password techniques when creating master passwords and never use the same password twice. If you are using Bitwarden, there is no reason why you will have to remember more than one password anyway.

Create Your Master Bitwarden Passphrase

Calling it a passphrase is an important distinction. The term 'password' indicates a single word instead of multiple words. The longer a passphrase is, the better because with each new character you add more entropy. Entropy is what makes the passphrase hard to guess by both computers and people.

The best method to form a passphrase is to use a system that has no ties to us. A passphrase that has our school name, birth month, and the name of our first pet may be long, but these days information is bought and sold. It does not take long for someone to learn such information about us.

Use Dice & A Diceware Word List

A dice list is a list of thousands of words next to numbers. Search online for "EFF Diceware List" and download the file. To use this list to make a strong passphrase we take five dice and roll them. Write down the numbers and roll again. Do this five or six times.

Now those numbers we wrote down correspond to words on the list. What we get is a passphrase that looks something like this:

directive-pushy-awaken-barcode-unnoticed-hurling-cavalier

A string of random words that have no relation to us at all. Since it is words, it is easy for us to memorize, but due to its length, it is tough to guess. Make sure to use real dice and not an online generator because outside of nature we can never be sure if the outcomes are truly random.

Proof These Work

If we can assume that an attacker can run one trillion guesses per second, how long will it take to guess the passphrase above?

27,255,689 years!

That's some good odds in our favor. But let's see how fast a passphrase with one less word is cracked (on average) at one trillion guesses per second.

3,505 Years

See how big a difference one word makes! Now keep in mind that we cannot be expected to remember a passphrase like this for every site we use because we need to use a different passphrase on every site. A password like this on every site is overboard and is why we use password managers such as Bitwarden.


If you are an email kind of nerd you can sign up for mine here. You can always replay to any of my emails to start a conversation or ask me a question.