We all know the Ben Franklin quote about two certainties in life being death and taxes. It’s time to add a third: passwords.
We can’t avoid passwords. The problem is, when using them, most of us can’t seem to avoid taking shortcuts either. Hackers count on it, which is why weak or unprotected passwords are still the #1 reason for most major data breaches. I’ve blogged about the reasons here.
No National Cyber Security Awareness Month should go by without pointing out methods to improve password security. I recommend you take the following simple steps sooner rather than later:
If you use the same password for service A and service B, and service A is hacked, service B becomes just as vulnerable. Like in the famous insurance commercial - it’s so simple, a caveman can understand it.
There are numerous ways to create strong passwords and to vary them by site. Some are listed below, others you can find on Google.
It doesn’t matter much what tool you end up using - just make sure you do it, or else you become easy prey for data thieves.
2) Change every default password on all your devices.
Any device with a password is worth protecting. Recent large scale “Distributed Denial of Service (DDoS) attacks have been traced to hacked home routers, DVRs, webcams, and more IoT devices.
Why? Because those devices are computers and once hackers get ahold of them, they can be used for nefarious purposes.
Those exploited devices are connected to the internet, and with the default password left unchanged, criminals can - and will - use them as an open door to your home or office network. Find out more here: http://www.pcworld.com/article/3127257/security/iot-botnet-highlights-the-dangers-of-default-passwords.html
3) Turn on 2-factor authentication for everything.
2-factor authentication (2FA) is built around the concept of multiple tokens being used to validate identity. At a traffic stop, you’ll be asked to say your name, then to show your driver’s license, because cops won’t just take your word for it when you give your name. So why should your e-commerce provider?
The good news is that more and more sites offer 2-factor authentication to increase security. They send a one-time use code via a text message or within an app.
Experts may debate the finer points of delivering a 2-factor token over an IP network like the open internet. Don’t listen to them. 2-factor puts a speed bump in front of anyone else trying to access your accounts.
4) Use this fun and easy way to make unique passwords for every site.
Internationally renowned security technologist Bruce Schneier advocates deriving passwords from a memorable sentence. This allows you to create a unique and difficult-to-guess password for each website. Read this paragraph from one of our related blog posts for more tips.
You don’t need to become an expert to come up with complex, yet convenient passwords that are easy to remember. Use mnemonics to craft easy-to-remember, but hard to re-use passwords. For example, pick a memorable sentence, create an acronym by combining the words’ first letters, then swap in some numbers: "Soup is good food" becomes "Si25gF". Now add a variable for the respective site, like the last letter of the domain (before the .com).
For Twitter, that would result in "Si25gFr". You'll want at least eight (8) characters, and you'll want upper and lower case values plus numbers, but you get the idea. If you prefer to generate random passwords, here are a few powerful free online tools.
5) Dig up your old accounts and change them.
Now that you’re in “password updating mode,” think about all those sites that you have accounts with. Social sites that you no longer use, discussion forum sites, online horoscopes, whatever. These sites and your old accounts that time forgot may be softer targets for attackers.
Your data can still be found there, and you need to protect it. Delete all your data from accounts that you don’t use and close them down. If you can’t delete it, overwrite your data with random garbage.
6) Rely on a trusted provider for cross-authentication.
Getting away from passwords altogether is still a dream. One way many websites ease the pain is by passing out authentication tokens to other trusted platforms, using a standard called OAuth.
Have you ever seen the buttons inviting you to “Log in with your [Google, Twitter, ...] credentials”? That’s OAuth at work, and it is an excellent way to minimize password usage across sites.
Select a trusted provider (I like Google) and create a robust password with 2-factor authentication on that site. When you access a website that supports OAuth, it will ask Google if you should be admitted to the site, based on your authentication with Google.
That way, the service doesn’t have to store any account information for you on their system. They rely on Google as a trusted authority to confirm that you are who you claim you are. OAuth isn’t universal, but it is immensely useful wherever it is available.
7) Resist the temptation to save your password in your local browser.
Sure it's convenient. But it also means putting too many eggs in a flimsy basket. Passwords stored in regular browsers are subject to attacks - either on the local computer or mobile device, or when the browser submits them to the destination site.
If you want to entrust your passwords to someone, choose an alternate method than what comes with your browser.
8) Use a password manager.
If it doesn’t seem worth your own time and efforts, you can always rely on third party providers to manage your credentials for you.
Services like Dashlane, LastPass or Keeper come to mind. Yes, many password managers have suffered from vulnerabilities and exploits. But be honest with yourself, who would you trust more with your passwords? Yourself - the same person who probably re-uses them across sites? Or a well-known company that puts its name on the line to make passwords more secure and more convenient?
We recommend using Silo, because our virtual browser - the most secure browser available today - comes standard with powerful password management baked in. And your credentials are never entered or exposed on the local computer or mobile device.
Cybersecurity professionals in big law firms, banks, and law enforcement agree that Silo has become the gold standard for protecting yourself and your business when accessing the web.
Try it here for free. Whatever tool you’ll end up using - start creating and managing better, more secure passwords now.
Ben Franklin didn’t have to deal with passwords. But remember his famous admonition about an ounce of prevention being worth a pound of cure? That definitely applies in the 21st century.
Especially when it comes to passwords.
About the author: Scott Petry is Co-Founder and CEO of Authentic8. Before Authentic8, Scott was the founder of Postini.
If you found this post useful, don't miss our other National Cyber Security Awareness Month posts:
- Tips for frequent travelers: 8 Easy Steps to Protect Yourself Online When Traveling
- Cyber Security Concerns Survey - the results: Face Your Worst Cyber Security Fears