Locke Password Manager

VPN stands for “Virtual Private Network”. It’s a service that encrypts the data you send over the Internet and changes your IP address to make it look like you’re located somewhere else. This is useful because having your data encrypted makes it impossible for hackers to see what you’re doing online. However, nowadays almost all your Internet traffic is already encrypted!

Modern web browsers use something called HTTPS to encrypt your browsing data. This secures your online traffic even on public WiFis such as in an airport or coffee shop. Yes, despite what VPN companies tell you, you probably don’t need a VPN to securely browse the Internet.

When should I use a VPN?

While it’s true that most sites already use encrypted communication channels, a VPN can still be a useful tool.

These are the 2 main circumstances where a VPN is useful:

1. You want to change your IP address to look like you’re from somewhere else. This is useful if you want to bypass country specific restrictions on sites like Netflix or YouTube, or if your real IP address has been blocked.
2. A website you frequent does NOT use HTTPS to encrypt your data. This is uncommon nowadays, but sometimes websites are not equipped to use HTTPS, meaning that the data you send to them is not encrypted. How can you tell if a site is securely using HTTPS? Look for the lock icon in your browser next to the website name:
   

Any website not using HTTPS is either old or malicious and should be avoided if possible.

A third use for VPNs is to enable employees to access private enterprise files remotely. This uses the same technology as consumer VPNs but isn’t typically relevant to the average person.

What is HTTPS?

HTTPS is a newer version of the original HTTP protocol. HTTPS stands for “HyperText Transfer Protocol Secure”, and is the primary protocol that allows the Internet as you know it to function. HTTPS extends HTTP by encrypting all Internet traffic between a browser and a website. That means that any data you send to a website using HTTPS is encrypted, making it impossible for hackers to intercept it and read.

Since HTTPS is newer than HTTP, some old or sketchy websites have not updated their website to be compatible, making them insecure. You’ll know this is the case when you see this in your browser:

That means the site is insecure and you should be careful typing in important information such as your social security number.

The point is, if you see a lock icon next to the website name in your browser, you can be confident that it’s safe to type in passwords or credit cards. Even on public Wifi.

If you’re worried about your Internet security, using a password manager is almost always more important than using a VPN. If you use weak passwords or reuse the same password for everything, you are vulnerable even with a VPN. Locke Fortress is a password manager that helps you stay secure online by allowing you to store your passwords securely. You can generate and use long random passwords without ever having to remember them and protect your emails from phishing attacks.

Register for free at locke.id

Here are 4 quick things you can do to contain the damage and prevent others from getting hacked:

1. Change your password! You also need to change the password for all other accounts where you’ve reused that password or a variation.
2. Start the account recovery process. This is different for every website so you’ll need to do more research.
3. Determine how you got hacked, and if your device itself is infected to avoid spreading malware.
4. Alert anyone who might be damaged by your account being compromised. For instance, Facebook friends might be targeted by the hacker impersonating you.

(1) Change Your Passwords

The first thing you should do is try and change the password of the account that got hacked. If you can change it, you might be able to regain access before the hacker can lock you out. Try it now! If there is an option to “log out of all devices” make sure you press that too.

If you’ve reused that password or a similar variation for other accounts, make sure you change the passwords for those accounts too. None of your variations are secure, read why here! It’s preferable to generate a new password for each account using a password manager like Locke.

(2) Start the Account Recovery Process

If you weren’t able to change the password for the account in question, it’s likely hacked. The next thing to do is start the account recovery process to try and regain ownership of your account.

This process looks different for every website so you’ll have to research how to do this on your own. However if you want help with this, register for a Locke account and our support can provide assistance. It can often take up to a week to regain access, so once you’ve started the recovery process continue to step 3 while you wait.

(3) Determine How You Got Hacked And If Your Device Is Infected

There are a lot of different ways you could have gotten hacked. The important thing here is to learn if your device itself is compromised since it can continue to spread malware to other devices on your network.

If you got hacked via a phishing attack it’s likely that your device itself is still secure. That doesn’t mean you’re in the clear, but it’s better than being infected with malware.

If you got hacked after downloading a questionable file, there is a chance your device is infected with a virus (malware). This is more complicated because further using the device can result in you spreading the virus to other people.

My device has a virus, what do I do?

First, disconnect the device from the Internet and turn off mobile data if it’s a smartphone. This prevents the virus from spreading or downloading more data to your device.

Next, to be completely safe, you should factory reset the device. This is much better than any virus scanning software since there is basically no way a virus can survive a factory reset. HOWEVER, this will wipe all your data off the device.

That means you might want to backup the device before resetting it. But be careful, backing up the data might carry the virus with it into the backup. If you must backup the device before wiping it, do so to an offline storage device such as a USB drive.

(4) Alert People & Report the Hack

The last thing you should do is tell everyone who could be impacted that you’ve been hacked.

For instance, if your Facebook account got hacked, the hackers often impersonate you and send malicious links to your friends to try and hack them too. If you can, let those people know your account is hacked while your going through the recovery process.

Once you eventually regain ownership of the account, post publicly letting people know not to open any messages sent by you.

Finally, the last LAST thing you should do is report the hack to authorities. At Locke, we use the phishing messages people receive to improve our phishing protection. You can submit them to use on our contact page. You can also report phishing emails to the FTC.

For more resources, visit our blog or identitytheft.gov.

Unfortunately, people nowadays think that you need to have all kinds of weird symbols and numbers in your password to make it secure. This isn’t the case! Despite the many websites that require you to have symbols and numbers, it’s often more secure to have an all lowercase password, as long as it is 16 characters or more.

This is the case for three (3) reasons:

1. Complex passwords with numbers or symbols are harder to remember and harder to type
2. Since they’re harder to remember, people tend to reuse them, making them more vulnerable to data breaches
3. A password’s strength grows exponentially the longer it is

A longer, simpler password of all lowercase letters is easier to type, easier to remember, and more secure than a shorter more complex password. Use the sentence trick to come up with super secure passwords you can actually remember.

The Sentence Trick

1. Start by coming up with a long and memorable sentence that is personal to you. For example, I really love Paul McCartney and The Beatles!
2. Take the first and second letter of every word and combine them to create a password. The example above would result in something like irelopamcanthbea
3. Optionally, add a few uppercase letters or a symbol to make it even stronger. Example above could be: Irelopamcanthebea!

Do not use this example, come up with a sentence of your own!

The sentence can be anything from a list of items at your desk, to your grandchildren’s names, to a favorite lyric or quote. Though I recommend that you don’t use something well known like “Mary had a little lamb who’s fleece was white as snow”. That could be easily guessed by a hacker.

Example Sentences

• Rochester’s favorite food is garbage plates could become Rocfavfooisgarpl. You can use more than just the first and second letter.
• Locke is a security company named after John Locke could become loisaseconafjolo. Very easy to type quickly!
• Photo of my granddaughter named Jenny on the swings could become phofmygrnajeonthsw. Take inspiration from items around you.

Practice Typing Your Password

Now that you have a good strong password, the last thing you need to do to is practice typing it. Do not overlook this step! Locke is a password manager that will generate and remember passwords for you so that you only need to remember a single master password. But that means that it’s critical that you actually remember it!

By simply reciting the sentence in your head a few times as you type your password, your brain will move the sentence from short term memory into long term memory and you’ll never forget it. When you register for a Locke account we have you type your password 3 times before using it for this exact reason.

How Password Strength Is Calculated

A password’s strength is calculated by how many tries it would take for a hacker to guess it (often referred to as entropy). The math is pretty simple! All you need to do to calculate the strength of a password is take the number of characters in the alphabet being used, and raise it to the power equal to the number of letters in the password.

For example if your password is irelopamcanthbea, the number of characters in the alphabet is 26 since the password only has lowercase letters. The length of this example password is 16 characters.

That means the number of guesses it would take to crack that password is 26¹⁶. That equals 43,608,743 with 22 zeroes afterwards. It would take the average hacker more than 2 million years to guess that [1]. Even using the most powerful computers available, the NSA would need about 138 years to guess it. That’s pretty secure!

This is important because when you deal with exponents, increasing the exponent is going to make the resulting number much bigger than increasing the base number would. For instance, if you include uppercase, numbers, and symbols in your password then the alphabet would contain about 72 characters. If your complex password is 10 characters long then the password entropy is 72¹⁰. That is much smaller than 26¹⁶!

The logic for including symbols and numbers in a password is to increase the size of the alphabet. To be clear, this will make your password stronger. HOWEVER it also makes it harder to remember, harder to type, and encourages you to reuse it across websites. Never a good idea!

It’s more important to have a long password that you can remember and type efficiently.

Conclusion

A longer password is usually more secure than a shorter password, even if the shorter password has weird symbols and numbers and the longer one doesn’t. Focus on length, not complexity.

Make a strong and memorable password by combining the first few letters of each word in a memorable sentence. Then recite the sentence in your head as you type the password and you will never forget it.

Another great alternative to the sentence trick is to create a passphrase by combining entire words using diceware.

---

[1]: HelmedHorror on Reddit with a beautiful and accurate chart

Phishing is an attack used by hackers where they try to gain access to your account by tricking you into clicking on a malicious link sent in an email, text message, or social media message. Phishing messages are designed to look important and legitimate to convince you to click on them. They’re often phony password reset emails, appearing as if they’re from online services you use frequently such as Facebook or your bank. Click here for some examples of phishing attacks.

Once you click on a malicious link or email attachment, the attacker has already won since they can steal your current login session and use it for themselves. Oftentimes a phishing link opens to a form where they ask you to type in your password. If you do so, you give the attacker direct access to your account.

How Do I Avoid Phishing Attacks?

The best way to avoid being phished is to educate yourself on what a phishing attack looks like. Here are four (4) simple tips you can use to help protect yourself from being phished:

(1) When opening an email, ask yourself why you got it in the first place.

Did you ask Facebook for a password reset? If not, it’s likely a phishing attack. Did you change credit cards and need to update a payment method on Amazon? If not, then it’s likely a phishing attack. If an email doesn’t match up to your recent online activity, alarms should go off and you should investigate further.

(2) Make sure the information in the email makes sense.

Start by checking who sent it. Make sure that the domain that sent it is spelled correctly. A common trick that hackers use is to register a domain that looks similar to a popular service, but spelled slightly differently. For example, googl.co rather than google.com.

Attackers will often try to get you to click on links by adding a fake sense of urgency to their emails. Saying things such as “if you don’t respond in 24 hours your account will be locked”. Legitimate services rarely do this. If you’re unsure if this is real, go directly to the relevant website and see if the website itself has the same information. If it does, it’s real.

(3) Hover over links before you click on them.

Hovering over links show where they go before you click on them. Just like with (2), hackers will often send links that look real but are slight variations of popular websites. For instance, instead of bankofamerica.com, they could use the domain bankofameri.ca. Notice how instead of a “.com” it uses a “.ca”? Indicators that it’s a phishing link.

Another indicator a link is could be a phishing attack is if it doesn’t have an “s” in the https:// part of the URL. The “s” indicates that the site is secure and uses TLS to encrypt all data between you and the website. If it just has http:// without the “s”, the site is insecure and should be avoided.

(4) Use a phishing filter.

Locke Fortress is a phishing filter that prevents you from receiving emails from unfamiliar accounts. This greatly reduces the ability for hackers to send you a phishing email. Register for free now to cut down on phishing emails and improve your online security.

How Common are Phishing Attacks?

Phishing is a simple social engineering attack that doesn’t require a hacker to have any technical knowledge. As a result of it’s simplicity, phishing is the most common form of cyber attack and the number 1 reason why people get hacked [1]. If you give a hacker your password willingly, they don’t need to do any of the hard work of breaking complicated software systems.

Even the most secure systems in the world are at risk of being compromised by a phishing attack. In order to stay secure online, it’s up to you to not click any potentially malicious links.

What Do I Do If I’ve Been Phished?

If you think you’ve been phished, you need to immediately change your password for the account that was targeted.

If you cannot change your password, that means the phishing attack was successful. You now need to change your password for all other accounts where you’ve reused that password. You also need to go to the account’s website to start the process of recovering your stolen account. Locke can also help you with this, register an account to get our support hotline.

If you are able to change your password, either the phishing attack was unsuccessful or the email wasn’t an attack at all. You should investigate further to be sure, but you’re probably safe.

If you have been phished, we’ll compensate you to see the email or text that did it so that we can improve our phishing filter. Please contact us if you’ve been phished.

Conclusion

To summarize: phishing is an attack that hackers use to try and steal your passwords. They perform this attack by sending you an email, text message, or social media message that looks like it’s from a business such as Facebook or Bank of America.

That email has a link inside of it that the hacker wants you to click. If you click on the link, the hacker can immediately steal your login session for that account and take ownership of your account.

The best way to avoid being hacked is to be careful of what links you click on from emails, text messages, or social media messages.

---

[1]: ID Theft Center, Q1 2022 Data Breach Analysis