Ryan Moore '25
Historian
Editor’s Note: In the spirit of full disclosure, it must be noted that the author mistakenly sent a draft of this article to the wrong listserv when submitting it for publication. Caveat emptor, dear readers.
As the Law Weekly historian, I typically write about the history of the law school, whether that is about John Kirby, Elizabeth Thompkins, or…John Kirby again. But I am in Professor Randi Flaherty’s Race and Slavery on UVA North Grounds class, and honestly I need a break from history.
Before I went to law school, but after my master’s in international relations, I worked as a private investigator. While I will not openly share stories from my past in the school newspaper, I did learn a lot about online privacy and security. Enough people have asked me for advice with basic online security that I decided to begin a Law Weekly series of articles on the basics of “how to stay safe online.” I do not know how long I will do these articles,[1] but there are certainly many topics to discuss. Today, I want to start with the foundation of all online security: passwords.
The origins of passwords
At first, passwords were simple strings of characters that websites would require of users to log into their accounts and keep malicious actors out. Password requirements were lax—any string of characters would suffice. Most people choose common and easy to remember words, usually the names of pets or children. Eventually, malicious actors noticed people used very basic and easy to guess passwords, often consisting of words found in the dictionary. Hackers would cycle through words in the dictionary (i.e. a “dictionary attack") and hack into accounts. Believe it or not, this worked.[2]
Websites fight back
In response, websites adopted several measures to protect users against dictionary attacks. Today, websites require complex passwords using letters, numbers, and the dreaded special characters. These additional requirements make it impossible for malicious actors to conduct dictionary attacks. Websites also lock out malicious actors who attempt to log into accounts with the wrong password too many times. This prevents malicious actors from just cycling through possible passwords until one works.
Forgot password?
Unfortunately, the complexity of passwords has opened another attack vector for malicious actors. Passwords became complicated and very difficult to remember. Passwords began to require so many special characters and numbers that most people created one password, memorized it, and used it (or a close variation) on every account. This is the most egregious password sin of all.
To understand why, think of each password as a key. You want the key to your house to be different from your gate key, the key to your shed, and your car key. If someone steals your shed key, they cannot also rob your house and steal your car. Reusing your password is the equivalent of using the same key for everything you own.
If malicious actors can access just one of your “recycled” passwords, they now have access to any other accounts that use that password. All they need to do is see if it has been used on other websites. Hackers share these cracked passwords with other hackers, or post them on the dark web, where I would find them for my clients. There are countless websites that contain folders filled with cracked passwords. Pastebin,[3] a text editing and storage website, is often used by hackers to share breached credentials. No matter how strong a password is, it is completely useless if everyone knows it.
Best practices
Fortunately, there are steps everyone can take to protect themselves online. Most importantly, I suggest using a password manager. A password manager encrypts all your passwords and stores them securely. Instead of remembering multiple passwords, or reusing variations of a single base password, you only need to remember one password—the one you use to log into the password manager. Personally, I use Bitwarden.[4] Bitwarden can generate unique and randomized passwords up to 99 characters long. It will also automatically pre-fill your password into websites, so you do not have to manually type in a 26-character password. Every one of my passwords is randomly generated and stored in a password manager.
In addition to using a password manager, there are three other ways to protect yourself and your passwords. First, make your passwords long and complex. The longer and more complex your password is, the harder it is to guess/crack. Second, do NOT reuse passwords. I cannot stress this enough. Third, changing your passwords regularly, and especially if you are the victim of a data breach, prevents hackers from using your breached password. Some websites, like Have I Been Pwned,[5] allow users to see if their emails and passwords are present in any data breaches.
And finally, I am always more than happy to answer any questions. You can catch me in the Virginia Tax Review office stealing more than my fair share of coffee, or at ScoCo playing RetroBowl College on my iPad.
---
tqy7zz@virginia.edu