Password compromises are one of the main ways that hackers obtain access to private information. Here are some things you should be doing to keep this important information (and the data that it protects) out of the wrong hands.
Unique is Good – Random is Better
It seems like we need passwords for almost everything, and the days of just having a few passwords to remember are long behind us. Unfortunately, many people still use the same password in many different places, which exposes them to having multiple accounts compromised when someone steals or guesses the login for one account.
The best practice is to use a unique random password for every website. This has become easy to accomplish using password management software.
I highly recommend LastPass – it creates an encrypted password database that can only be accessed using your master password. In addition to this core functionality, it also generates secure random passwords with the click of a mouse, and helps to automate entering your passwords into websites.
While we are on the topic of password management, it’s important to stop using books, post-its, and electronic documents to store passwords. We all know people who keep their passwords under a keyboard, on a monitor, in their desk drawer, or on their smartphones. Replace those with a password management database and you will immediately be more secure.
Be Clever About Password Recovery Questions
Many sites use short-answer questions as part of a password recovery process. The problem is that much of the information that they collect for this process is publicly known. It doesn’t do any good to secure your account with a “city of birth” response when a quick online search could provide that info to an attacker.
Avoid using your own information for commonly known or easily researched information such as birth dates, cities, street names, pets, and vehicle information. When you need to provide password recovery questions, choose a friend, relative, or famous person that you know a lot about (or can learn about on a site like Wikipedia) and use their answers instead.
Double Down with Two-Factor Authentication
Use two-factor authentication whenever a site or application supports it. This method combines something you know (a password) with something you have (generally a random code that is generated – this can be done by a small handheld device, an application on your smartphone, or via text message) and is much more secure than just a password.
Not every site or application supports two-factor authentication today, but more are being added all the time. One way to find out is by using a Google search. For instance, if you wanted to learn about this option for apple.com, you could use the search phrase:
"multi-factor" OR "two-factor" OR "two factor" site:apple.com
This will return a list of pages that are hosted by apple.com which use common versions of the terminology. Replace apple.com with any domain name that you want to check.
Protect the Keys to Your Kingdom
Another common way to reset a password is to have the site send a link or code to your email address. This means that you should be even more careful with your email passwords.
If a hacker can access your email, that opens the door to other compromises. That is why so many attacks focus on email address and password. Once an attacker has access to your mailbox, they can see which sites send email to you and request password reset links from them.
Always use a unique password for any email account, and watch for unexpected email messages that may indicate someone has requested a password reset. If your email provider supports two-factor authentication (Google and Office 365 are two that do) you should consider enabling it.
Don’t Take the Bait
One of the most common ways that hackers obtain passwords is through phishing. Phishing is the practice of sending fraudulent email that is designed to look like it’s from a reputable company. This is done to trick someone into entering usernames, passwords, or payment information into a fake site that is designed to look like the real one.
Phishing isn’t always easy to detect, but it’s easy to avoid falling victim to it.
Never enter your username or password in response to clicking a link or document that you receive through email. If you click a link that prompts you to sign in, it’s probably malicious. Close your web browser and go to the site in a new page, by manually typing the URL.
Make Sure It’s Secure
One of the ways that legitimate companies protect your personal information is by using SSL – the standardized security technology for establishing encryption and trust between a web server and your browser.
When sites use SSL properly, it ensures that all data that passes between the browser and server were unreadable and unchanged by anyone who happens to sit between the two devices. It also helps to prevent hackers from creating fake sites that can trick you into thinking they are legitimate.
Learn how to tell whether a site is secure (encrypted) – this depends on which browser you use, but generally relies on either a green indicator in the address bar or a lock symbol. Always make sure that the page is secure before you enter any personal information (name, address, phone, password, email address, or payment info).
Take the Next Step
Assistance with password management and two-factor authentication is complementary with any of our Monthly Maintenance Plans, or we are happy to help with this as a standalone project.
Not sure where to begin? Drop us a line and we’ll schedule a time to chat about it.
Written by Ken Fischer, Technology Services Director for Business by Barnhill