Password management

Master password security to keep cyber criminals at bay I will like to start this lesson with one simple question I’d like you to answer (to yourself) honestly: Have you ever used the same password for more than one of your accounts? I know that, for most of us (if not for all of us), the answer is a shameful… YES. We’ve all done it at some point, because, if you think about it, we’ve never received a proper education for using the Internet. We wouldn’t let kids walk around without proper road safety education and we wouldn’t let drivers hit the road without knowing the rules. So why is it that we think that we can go online and put our entire lives there (personal AND professional) without being aware of the dangers? This lesson is a staple in your education about cyber security. And the lead character is that string of characters that shield our most prized information: The mighty PASSWORD! The problem is that the passwords we use are not that mighty. In fact, we should just admit they’re actually LOUSY. Putting “12345678” between you and a sophisticated cyber criminal is CRAZY, don’t you think? So it’s time you admit your sins and do something about them! The 7 Deadly Sins of Password Management 1. You shall not keep your passwords in a text file, spreadsheet, plain text or a similar, unprotected document! Why? Because that flimsy file might get stolen, corrupted, deleted or, worse, retrieved by cyber criminals. I wouldn’t like to see you scramble to change 200 passwords as soon as possible if you ever got hacked. 2. You shall not use the default password sent to you by a service provider! Why? It’s simple: because those passwords are usually simple and, consequently, easily breakable. It would be like giving candy to a baby, like they say. And cyber criminals love both your passwords and (probably) candy. 3. You shall not use one of the shamefully weak passwords listed in this top 10! 123456 123456789 1234 Password 12345 12345678 Admin 123 111111 1234567 Why? We think the passwords above are self-explanatory, don’t you? 4. You shall not use words that can be found in a dictionary or that are common phrases! Why? Because cyber criminals have a method called “dictionary attack”. A dictionary attack is based on trying all the strings in a pre-arranged listing, typically derived from a list of words such as in a dictionary (hence the name). And dictionary attacks often succeed, exactly because many people use short passwords that include ordinary words or simple variants obtained, for example, by adding a digit or punctuation character. 5. You shall not use passwords that include your birth date or other information that’s easily available online! Why? Because tracking down your personal information online is what gives cyber criminals a field day. Even if you have your privacy settings pushed to the max, there’s always a way around them for a guy that hacks confidential information for a living. 6. You shall not use the same password without changing it for a long period of time! Why? Because passwords, just like the ice-cream in your fridge, have an expiration date. An old password may be easy to crack and there’s a lot that can go downhill from there. Keeping things fresh can keep trouble off your track. 7. You shall not use the same password twice! This is a big one. Seriously! Why? This is one of the CAPITAL mistakes we all make when it comes to password management. Using the same password for more than one account (and usually making it an easy one) means that cyber criminals will get access to MORE accounts at once, and they’ll be able to steal MORE data and do MORE damage! Imagine if they cracked the password to your online banking account. And that password would be used for your email account as well. Can you envision the impact of an attack on your personal finances, and on your business and personal life? If that thought made you shudder, let’s see what you can do about it. Here’s how cyber criminals try to break your passwords This is a very quick run through the methods that cyber criminals use to break your passwords and get access to your private information: – defined in lesson #4 – defined in lesson #4 Social engineering – defined in lesson #4 Malware-based attacks – defined in lesson #4 Brute-force attacks – cyber criminals systematically check all possible keys or passwords until they find the right one. For this, they use algorithms that can try all of these combinations superfast. Your short, repetitive passwords are no match for them! Database hacking – if a cyber criminal gains access to a company’s user database that contains the credentials of thousands or millions of customers, and you’re among one of those customers, then you could be exposed as well. Tenths of attacks such as these have made the headlines in the past 2 years, and they just seem to keep on coming. So now let’s get to THE FUN PART, where you get to do a spring cleaning type of thing and change your passwords while going through you accounts. How to create a good password in 4 easy steps Step 1. Use a password generator to create long, complex passwords. You can use some of the options listed here or come up with one yourself. Just make sure to follow step 2. Recommended password generators: https://www.random.org/passwords/ https://identitysafe.norton.com/password-generator/ http://strongpasswordgenerator.com/ http://freepasswordgenerator.com/ Step 2. Make sure to use a combination of words, numbers, symbols, and both upper- and lower-case letters, without using adjacent keyboard combinations (such as “qwerty” or “12345678”). Example of a strong password: Step 3. Set extra strong passwords for those accounts that are crucial to you (email accounts, social media accounts, online banking accounts, etc.) and make it memorable, so you can use it anytime you’d like. Don’t forget to apply step 2 when doing it. It’ll be good exercise for your memory as well. Step 4. Test your passwords’ strength using howsecureismypassword.net. This could give you an idea of how dreadfully unsafe your old passwords were and give you a bit of comfort to know that you’re doing the right thing by taking the time to update your credentials. Here is the result from having tested the password shown as an example above: So, you have your new, long and complex passwords. But you have over 150, maybe even 200 accounts. What now? Well, now comes the part where you get learn… How to safely store your passwords in 8 steps Step 1. Use a password manager. The reason behind this recommendation is: you’ll only have to remember one strong password and all your other passwords will be protected from keylogging and other credential-sniffing tool that cyber criminals might use. Best free password management applications: https://lastpass.com/ https://www.passwordbox.com/ https://identitysafe.norton.com/ https://www.wwpass.com/products/blackbook-password-manager/ Best paid password management applications: https://www.dashlane.com/passwordmanager https://lastpass.com/features_premium.php https://www.stickypassword.com/free-vs-premium http://www.roboform.com/why-everywhere https://www.intuitivepassword.com/ https://keepersecurity.com/download.html http://www.roboform.com/download Step 2. If you want to go the extra mile, you can even consider using more than one password manager application, thus lowering the potential damage if one password-storing service gets compromised (that’s a possibility too). Don’t put all your eggs in one basket, as they say. You might argue that these apps and services are prone to vulnerabilities as well, and that’s very true, but it’s much better than using the same password for every service you use. Plus, password security is their business, so rest assured that they know a thing or two about information security. Step 3. Where it’s available, two-factor authentication is another great safeguard against cyber attacks. Using this option is especially important when it comes to the critical accounts we talked about earlier. How to turn on 2-step verification on Google: https://support.google.com/accounts/answer/180744?hl=en&ctx=ch_b%2F0%2FSmsAuthLanding How to turn on Login Approvals on Facebook: https://www.facebook.com/notes/facebook-engineering/introducing-login-approvals/10150172618258920 How to turn on two-step verification on Yahoo: https://help.yahoo.com/kb/turn-two-step-verification-sln5013.html How to set up Logic Verification on Twitter: https://blog.twitter.com/2013/getting-started-with-login-verification How to turn on two-step verification on Dropbox: https://www.dropbox.com/en/help/363 You can also use this list to verify is other services you use offer 2-step verification: https://twofactorauth.org/. Step 4. Be especially careful with the passwords you use for logging into financial services, such as your online banking account. Try not to type these passwords, and try to use a multi-layered protection system against cyber criminals who are after your money (even if you don’t have millions in the bank, trust me, they’re still after it). Step 5. Make sure that, when you log into an especially important account, the website has added protection through HTTPS. HTTPS is communications protocol for secure communication over a computer network. Its value comes from the fact that it provides bidirectional encryption of communications between a user and server, which protects you against cyber criminal attacks such as eavesdropping. If a website you’re visiting does not have HTTPS enabled, you’d better double check its safety and see if you’re sure you want to enter your credentials there. Additionally, you might not want to store your credit card details in that account either. Step 6. Keep your browser and vulnerable software updated. Every time you don’t have time to perform an update for one of your browsers or on a software such as Java, Adobe Reader or Adobe Flash, a cyber criminal is taking advantage of a flaw left uncorrected (ad potentially unleashing a Zero Day virus on you). Updates are not only used to deliver better functionality, but security patches as well! Step 7. Change your passwords frequently. Even if you’ve set strong passwords, keeping things fresh always helps. By putting together this routine and applying it constantly, you’ll discover a new way of keeping safe online, which will give you peace of mind and a sense of comfort. Step 8. Don’t compromise yourself. Sometimes, human error is the biggest liability in our data’s security, so try to keep paying attention to how you share passwords. When you’re either delegating work, go for a vacation or a sick leave, give access to business partners, or even when a colleague asks you for a password, chose the safe way to do it. You can share passwords safely through a password management service and some apps even define levels of access (which are pretty common nowadays), so take full advantage of those options. And also be aware of the people around you. Someone might just look over your shoulder and check out your password. Be mindful of your surroundings, both when you’re online and offline. Can’t anyone figure out something better than passwords? They haven’t yet. So passwords will be around for a while, that’s for sure. Until we’ll start using biometric technology or a groundbreaking innovation comes into play, we will still rely on this method of authentication. So we’d better do it right! To end things on a funny, but educative note, here’s Paul talking about password security with John Oliver. It’s a 3 minute video that could, perhaps, talk you into making some changes, if I haven’t managed to persuade you until this point. PS: There are even some free tools you can use to check and see if your passwords for different accounts have been compromised or not: https://breachalarm.com/ https://pwnedlist.com/query https://haveibeenpwned.com/ Use them wisely. Paul Benjamin