You can’t live today without online accounts and passwords. If you are online at all, you probably have at least 10 of them to remember. Facebook, LinkedIn, email, Twitter, Snapchat, Bank, Credit Card, Evernote, Dropbox, Messenger, Snapchat, Network Access and I’m just getting started. Nearly every app you download for your mobile device wants you to create an account.
Many of these sites and apps have security features built-in to help us stay safe, but being secure still falls mostly on our shoulders. We often try to make it easy by using the same multi-purpose password. This has always been taboo but is now downright dangerous. It is quite common for a hacker who obtains a stolen list of passwords to attempt them on different sites. For instance, the LinkedIn password theft a few years ago doesn’t seem that detrimental, particularly for a free LinkedIn user who signed up for an account but does not really use it. The problem is hackers used that password list to try to crack accounts on other systems. If you were part of the breached password list on LinkedIn and you used the same credentials for Amazon, the hacker or multiple hackers likely attempted that combination on your Amazon account which unfortunately means access to any stored credit cards as well.
How do we stay secure in this password crazy environment? We all know the basics by now. Always use at least 8 characters including numbers and symbols. Don’t use names, birthdays, pet names, or really anything that makes sense to anyone other than maybe yourself in a very cryptic way. And, very importantly, don’t use the same credentials for multiple sites or apps.
Taking a few more simple steps with your credentials can really up your security game:
1. Turn on 2FA – 2FA stands for Two Factor Authentication. We all use it for banking and financial sites. Many other sites will allow you optionally turn it on. For instance, your gmail account which may seem not the critical depending on how you use it, has a spot in settings to turn it on. It texts you a code, and each time you sign in, you have to use your password and a code. The thing is, your gmail may actually be important. It may even have emailed credit card statements, bank statements and other items. Other programs like LogMein, Amazon, and even Facebook have options to turn on 2FA.
2. Change your password – It is rare for ecommerce shopping sites, social sites and even many financial sites to make you change your password. It is possible you have had the exact same password for years on many of these sites. It is a good idea to periodically change these even though not required. Many past password breaches have been in the wild, but not taken advantage of for months or even years. Implementing a process where you change your password by choice on these sites every three to six months will help keep you secure.
3. Don’t store passwords on your computer – When your browser asks you if you would like to store your password for this site, your gut reaction should always be NO. When you store them, they are accessible to the browser when needed, and even though more secure than in the past, they are still available to a browser hack or a hacker who gains remote control of your system through a Trojan virus or other malicious code.
4. Never email passwords – In today’s hack prone world, it is downright dangerous to email passwords. Even when you are emailing them to someone you know and trust, the concern is not them, it is where that email flows on its way to them. Some of today’s email is encrypted, but much of it is open text. If a virus has infected the recipients email, your password is exposed. Email hacking is not a sometimes occurrence. It happens all of the time. We recently spent time investigating and remediating just this type of problem for a firm whose email was hacked. Information about their private real estate transactions was being sent to a hacking network who was contacting parties to the transaction and masquerading as them.
5. Use a password vault program or app – People often ask me if these are safe. My answer is always that they are safer than the alternative. If you don’t have a method for tracking and securing passwords, you tend not to make them complex and secure. With a password vault, you always have a record of your passwords. Most password vault software companies encrypt your credentials so that even they cannot read them. I use Keeper by Keeper Security.
6. Use this trick to create a password – Quite a long time ago someone recommended using a trick for generating passwords and I think it is quite effective. They suggested picking a phrase and using the first or last letters to help in creating a password. For instance, we could use a motivational quote to generate a password. “Do what is right not what is easy”, becomes Dwirnwie. Now to make it meet complexity standards, we make a few changes – “Dw1rnw1e. We now have a cryptic password that I can still remember by repeating a simple quote in my head.
Most information breaches start with discovery of a login and password. With a few simple changes, you can greatly decrease your likelihood of being hacked. Security requires vigilance on all of our parts, so let’s take it up a notch!