Personal Security Issues and Best Practices
in the Digital Age

Introduction

Password security is essential in modern society. Of the growing number of data leaks each year, many are simply due to weak passwords. Google reported a staggering 47.2% of the breaches recorded by its Cloud Security division in the first half of 2024 resulted from weak or missing passwords.^[1] This is a serious concern, as any one of these breached databases can contain sensitive information about you. In this article we will explore three main points:

• Password Security and how you can make better passwords and store them safely
• How Hackers can use deception to get your information and passwords
• How even secure passwords can sometimes be breached and ways to monitor for that

Password Security

First, let's look at password security. Conventional wisdom suggests that a secure password should be at least 8 characters long and include at least 3 of the following:

• Lowercase Letter
• Uppercase Letter
• Number
• Special Character/Symbol

While this is true, there are other factors to consider. This practice, alone, can actually lead to the creation of passwords that are easier to guess. For example, passwords like “password1234!”, or “[Dog's Name]1!”, fit these criteria, but are much less secure as we increasingly live our lives online. That social media post 5 years ago about your new puppy all of a sudden gives a hacker the name of a pet that you might use in your passwords.

So, you can just use a random password generator, right? While these tools are very useful, they also have their drawbacks. One drawback is that these “random” passwords almost certainly are not completely random. Computers are systematic by their very nature, for this reason, they cannot be completely random, but pseudorandom. This means that, while they appear random, they were produced by a programmatic approach, and as such can be replicated by a similar system.^[2] Cloudflare, a major web hosting and DNS provider, has found a way to make their generation of random security keys for their customers. By using a wall of lava lamps, they can produce a set of random data to use in their generation process. This, in turn, makes their security keys more secure.^[3]

Since most people do not have a wall of lava lamps or the tools to turn it into a random password, what can a normal person do to create a secure password? One solution is to use a passphrase, a collection of words that don't typically go together. Taking that phrase, you can then substitute out some of the letters with symbols and numbers. xkcd, a comic by Randall Munroe, illustrates this idea.



You can see what this would look like by using the Password Generator. We created it to use a collection of words (using pseudorandom selection), then substituting letters with symbols, numbers, capital letters, and sometimes even similar looking lowercase letters to create a more secure password. While this is still not the most secure option, it is more secure than a random generated 8-character password with most generators.

While this is a good first step, most people have many accounts, making it almost impossible to remember a different secure password for each one. A secure password manager can solve this problem. In a 2023 study, 55% of respondents without a password manager reused their passwords, whereas only 11% of password manager users reused their passwords.^[4] Repeating passwords on multiple sites is never a safe solution.

When looking for a password manager, there are some things to keep in mind. It should:

• Encrypt Your Passwords
• Only Decrypt them Locally (on your device)
• Use multiple layers of security (i.e. Username, Password, Encryption Key, and two-factor/multi-factor authentication)
• Have a good reputation for disclosing data breaches if they occur

Such a manager will allow you to reduce the number of passwords you need to remember to one, while giving you convenient access to your secure passwords. There are many good solutions on the market. A couple of examples are 1Password and Proton Pass are two examples, there are more.

Another step to securing your logins is through the use of two-factor/multi-factor authentication (2FA).^[5] 2FA helps secure your logins, but some 2FA methods are more secure than others. 2FA using your phone number is not very secure, as there are multiple ways around this (Veritasium has a video showcasing some of the methods used for this). A much stronger 2FA method is one that requires no communication with the site you are trying to log into. This method uses a security key. Security keys are basically math problems that are stored on a device or in an app. This math problem has a variable for time, and it makes the number change about every 30 seconds. This is more secure because the only time the key is transmitted is upon set up, making it very difficult to intercept. When it comes to storing that security key, there are many apps available, but you want to look for a few things, including:

• Make sure it is not the same provider as your password manager
• Don't store your password to your authenticator in your password manager (Memorize it)
• While a completely offline solution like Google Authenticator is more secure, if you lose your device, you will also lose access to your accounts. For this reason, a solution that syncs between multiple devices works better for most people.

An example of a couple of ones that sync securely are Ente Auth and Proton Authenticator

One more thing to consider is keeping up with potential breaches of your data. You will almost certainly have some information compromised, but you can keep up with any breaches that occur. One site, Have I Been Pwned, will allow you to search your email to see what breaches it has appeared in and the breached site from which it came. Developed by a security researcher for Microsoft, it will also allow you to set up e-mail notifications for future breaches involving your data.

Phishing

The second thing we want to look at is phishing, a fraudulent attempt to obtain sensitive information by impersonating a trustworthy source. This is often done through electronic communications, such as texting or emails. While many users are aware of phishing, these attacks are growing increasingly sophisticated, making them more difficult to identify. In a 2024 report from KnowBe4, 34.3% of users without training failed to identify simulated malicious emails, which highlights a critical gap in cybersecurity skills.^[6]

The difficulty lies in the deceptive tactics used. Attackers’ slight-of-hand tactics, including slight misspellings in domain names (e.g., "amazn0.com"), create a false sense of urgency, and use carefully crafted links that appear legitimate at first glance. Simply telling users to "be careful" is often not enough, as recognizing these subtle red flags requires practice. This is why we have developed the Phishing Detection Challenge, an interactive training tool designed to address this issue directly.

Rather than relying on passive learning, this quiz uses a hands-on approach where you are presented with realistic scenarios. You must decide whether each email is safe or a phishing attempt. The core of this learning method is the instant feedback provided after each choice, explaining the specific signs of a malicious email or confirming the characteristics of a legitimate one. This provides a safe environment to make mistakes without real-world consequences, reinforcing the knowledge needed to identify threats. The goal is to build practical skills and confidence, empowering you to better secure your digital life.

Data Security

The third area we want to discuss is data security. Protecting your data from unintended access is another essential part of protecting your digital footprint. Even with strong, unique passwords and good phishing awareness, your accounts can still be at risk of leaks and abuse if you do not protect your data across all your services.

Keep these things in mind when you think about data security:

• Use a unique password for every account and password manager
• Turn on two-factor/multi-factor authentication (2FA) whenever possible
• Limit the amount of personal information you share online
• Keep track of where your data is stored and watch for breach notifications

Data breaches take place regularly. Attackers often use a technique called credential stuffing – trying a stolen password on many other sites. In this way, a reused password can rapidly turn into a domino effect of compromised accounts. For example, a password stolen from a shopping website may also get access to your email, social media accounts, or even banking accounts. This is why using the same password on multiple sites is so dangerous: Your security is only as strong as your weakest account.

To illustrate this, we created the Data Breach Cascade Simulation. By typing in a fictional email, you can get a sense of how one leaked password might impact your accounts on popular services like Amazon, Facebook, Twitter (X), Netflix, Instagram, Google, Steam, and your bank. We set Amazon to be the original breach to illustrate how attackers commonly go after high-value providers first. This illustrates the gamble of reused passwords.

Each account can be seen as a lock on some portion of your data. When all locks have the same key, one stolen key opens all doors to your information. By giving each of your accounts a strong, unique password and communicating information cautiously, you improve the strength of your internet-wide presence.

Conclusion

Data threats are a frightening reality in today’s world, but while threats to your digital security continue to grow, you can take measures to prevent your involvement. You can be proactive in securing your accounts and information by using the tools and advice/activities in this article. Developing better security habits is an essential step in securing yourself in the modern age. For convenience, the resources linked in the article above are included below as well.

Resources and Information

References