Friday, April 30, 2021

Cybersecurity: Pass the word about good passwords

Comic courtesy of xkcd.com. You can see the full comic here 


One of the many things I’ve discovered while working in IT is that most people treat passwords like vegetables on their dinner plate. 

Everyone knows veggies are good for them, but hate eating them. So they either rush through creating a password as if trying to wash down a forkful of spinach with a glassful of milk, or, worse yet, try to hide the fact they haven’t changed a weak, default password, like they were trying to disguise the fact they didn’t eat all their peas by pushing them under some left-over mashed potatoes.      

And like avoiding eating your veggies, ignoring good password practices can have a disastrous impact on your (financial) health.
In 2020, IBM calculated that the average cost of a data breach to be as much as $3.86 million. In prior
years, about 80 percent of beaches were caused by stolen passwords.

Sure, a vast majority of those breaches happened to big businesses. But don’t think for a moment that those breaches don’t affect your personal finances or that hackers don’t target the average Joe, because they do. According to a recent AARP study, fraud due to identity theft could cost the average person anywhere from about $200 to over a $1,000 assuming it’s detected quickly.

This is hardly news to most people, yet when I broach the subject with folks outside the IT world, the most common excuse I get for not having or keeping strong passwords is that they are hard to remember.

Well of course they should be! That’s kinda of the point. 

If your password is easy to guess, it’s not doing its job in keeping your data safe from prying eyes. You might as well not have a password at all and that’s not a viable strategy these days with more and more of our personal and financial data moving online. 

There are many ways to come up with a good strategy for creating and remembering complex passwords, but most cybersecurity gurus agree on the following tips:

USE A LONG PASSWORD 

The longer a password, the harder it is for hackers to figure out. Even if hackers use a fast computer to run through every possible combination of letters, numbers, and symbols, the longer the password, the more time it will take them to crack your account. And the longer it takes a hacker to do that, the more likely it is that they will give up on you and move to an easier target.  

For instance, a simple eight-character password with all lowercase letters can be cracked in about five hours, where a password with 12 all lowercase characters would take slightly over 200 years.  (Times are based on Tulane University's Brute Force Calculator

USE A PHRASE AS YOUR PASSWORD

When I tell people they should have a long password, they naturally think about using a phrase or
passage of text they’ll remember. The problem is that hackers are well aware of this tactic and will also try using common or well-known quotes from literature, the bible, TV shows and movies to crack your password. 

So while you might think “OpenThePodBayDoorsHal” maybe a good password because it long and has a mix of upper and lowercase letters, it’s also probably on the list of top five phases hackers will try because it's so obvious. 

Your best bet here to use a nonsensical phrase or phrase that contains random words. Also do not use characters that are sequential on a keyboard, numbers in order or the widely used “qwerty” because those are also on the list of default passwords hackers will try to get into your account.

INCLUDE NUMBERS, SYMBOLS, AND MIXED-CASE LETTERS 

By now we are all familiar with this as many sites require you to use symbols, numbers and letters in your passwords. One of the things I will do is come up with some phrase then substitute numbers or symbols for the following letters:

A =@ S = $ or 5            E =3 i =! or 1                O = zero

So if I decide to use the not-so-nonsensical phrase like: New Pair of Shirts 

I can make it more secure by using the substitutions like I mentioned above to turn it into this: N3wP@1r0f$h1rt$

If you use one of these as your password, you really need to change
it immediately! (Source: zdnet.com)
AVOID USING PERSONAL INFORMATION IN YOUR PASSWORDS

This is a big one, especially in the age of social media quizzes that often ask you for seemingly harmless information like the month you were born, your favorite food, color or movie. Hackers can use this information to help guess your password, because they know people often use that kind of information for their passwords. They also know people tend to use important dates and names in their passwords, so don’t use birthdays, anniversary, addresses, city of birth, high school, and relatives’ and pets’ names in your passwords either, because that information is often easily discoverable online. On that note, if you are required to choose security questions and answers when creating an online account, select ones that are not obvious to someone browsing your social media accounts.

DO NOT REUSE PASSWORDS

If you only take away one thing from this post, remember this. Don’t use the same password on all your accounts!

Yes, I know it’s hard to remember just one password and now I’m telling you that you should have 20. But hackers know people are lazy and if they crack your e-mail or social media account password, the very next thing they are going to do is start trying to use that password on various banking and financial sites to see it if works.

I often council my employees at work to also change the passwords on their personal accounts whenever we detect that their work account password was compromised. I do this because even though our employees seldom use their work e-mail address as their username on personal sites, hackers are smart enough to try the password they cracked for Mary.Jones@MyCompany.org on accounts for  mary.jones@gmail.com, mjones@gmail.com, etc. 

USE A PASSWORD MANAGER

Okay, you’ve followed all my rules and created several strong passwords, but what good will they be if you can’t remember them when you need them?

The answer is simple. Stop trying to remember them and start using a password manger. 

Password managers are small programs which you can install on your computer and phone which not only keep track of all your passwords, but also helps you create strong and different passwords for every site you visit. The beauty of using one is that you only have to remember a single, strong password and many can be unlocked by a finger print so you don’t even have to remember a password if you don’t want to.

Yes, some most modern browsers like Chrome and Firefox have features similar to this, but they are much less secure than dedicated password managers. So if your gmail account ever gets hacked, then all the passwords you have stored on your Google account will be exposed. 

In my job, I use LastPass and have come to rely on it a lot. It works on both my phone and computer and integrates with Chrome pretty painlessly. I highly recommend it, but it’s not the only one out there. Here are a few others recommended by PC Magazine and CNET are worth checking out. 

If you don’t want to spend money on one of these programs you can always do what Mrs. BlueScreamOfJeff does and turn one of those old-fashioned pocket phone/address books into an offline, physical password manager. Instead of using it to keep track of all her friends, family members and acquaintances, she uses each section to store the username and password for all her various accounts. For example on the “A” section pages, she has entries for her AOL, AirB&B and Applebees.com. Under the “B” section she has her Bank of America, Barnes and Noble and BBC.com login info. 

Yes, this does go against “the rule” of not writing your passwords down, but it is OK to write them down as long as you store them in a secure location like a locked drawer when you’re not using it.

CHECK ON YOU PASSWORDS 

Finally, you should periodically check to make sure your passwords are still secure and haven’t been hacked. 

Sites like Have I Been Pwned?, BreachAlarm and Dehashed all let you check on whether your account has been compromised by a past data breach. 

They are pretty simple to use. Just go to the page, enter your e-mail address and click the search button and these sites will then look through a list of accounts known to have been breached by hackers show you if your address was possibly compromised.

If it was, you should change that password immediately.

I know I’ve made it seem like creating and keeping your passwords safe is a lot of work. But like your mother always told you when you complained about having to eat your vegetables:  You may not want to do it, but it's good for you.


Posted by at 2 comments:
Labels: , , , , , , , , ,
Subscribe to: Posts (Atom)