Welcome to the final and perhaps most important post in this series on online security. In previous posts I’ve discussed:
- Part 1: Scams
- Part 2: Phishing, Ransomware, Extortion and More
- Part 3: Mobile Security and Social Engineering
With a tip of the hat to Steven Covey, I present you Part 4: 7 Steps to Strong Password Management. Please take the time to carefully consider what your password habits are, and what protections you can add. But first, a bit of background:
In late 2016 Yahoo revealed that over half a billion accounts had been lost to hackers back in August of 2014, in what was the biggest known breach the world had ever seen. Jaws dropped at the time, but they were to drop even further: in December 2016 they confessed that it was more like a billion accounts. This might have seemed like bad enough news for the already failing internet giant, but in October 2017 it came to light that, staggeringly, all three billion Yahoo accounts were likely to have been compromised.
“Yeah, I remember hearing something about that”, I hear you muse, “I had a Yahoo account once, but haven’t used it in over 10 years”.
Well, let me tell you why this should have you worried: Yahoo was just the tip of the iceberg. No, I’m not kidding. An absolutely mind-numbing 15.1 billion records – that’s two records for every human on the planet – were lost in data breaches in 2019 alone, and that’s only what companies have publicly reported. The true figure is without a doubt far higher.
Further to this (and granted, there will be some overlap), nearly 10 billion accounts from hundreds of websites and other sources have surfaced in the wild (ie. hackers selling or just plain giving away the data), and these are formally documented on security researcher Tony Hunt’s HaveIBeenPwned website.
Hopefully I have your attention now, because this is important: Many of these breaches included names, passwords, addresses, phone numbers, payment details and more – in fact some have immensely personal details. You cannot trust that your passwords (or any data, really) are 100% safe in the hands of any website or company, no matter how large. But online security is all about reducing risks, and there are many things you can do to mitigate the effects of fallout when another online service you use is compromised. And I deliberately say “when”, not “if”.
Now let’s be clear: many of the leaks didn’t include plain passwords, but there are over half a billion unique, known leaked passwords out there, and chances are pretty good that a password you’ve used in the past (or are still using now) is in that list. Once a password is known to bad actors, it’s only a matter of time before it’s used to access other accounts and services.
The simple but stark upshot of this is that if a password is compromised – even once – it can’t be considered safe for anyone to use again, ever. To ringfence risks that a service is compromised (and new services are compromised daily), each and every account needs a unique, secure password. In short, we have our first habit:
1. Don’t reuse passwords. Ever.
That’s right, you should never use the same password in two or more places. If one of those systems is compromised, your second account might as well also be compromised, even if it has “better” security. Case in point: just last month, 500,000 Zoom accounts were leaked (some early reports said they were hacked, but they weren’t). This came from a sophisticated credential stuffing attack: this is the practice of taking stolen/leaked passwords (yes, like the ones I mention above) and trying them out on other sites to gain access to as many accounts on as many services as possible. If I’m a hacker and I manage to get your email address and password from your lolcatz.com account, you can guarantee I’m going to try the same combination on Facebook, Twitter, Google/GMail, Microsoft, banks, government sites, Zoom, and probably dozens if not hundreds of other services. This can be done on massive scales very quickly using botnets comprising sometimes millions of infected PC’s and IoT devices. It might take a matter of minutes or hours to test out a million passwords on a hundred different sites and services.
Back to the half billion leaked passwords. That’s just what the “good guys” know about, the number is certainly far higher. Each time a database is hacked, if usernames and passwords are found you can guarantee that the hacker will try credential stuffing.
If your company has a password policy that includes regular forced password changes, this only encourages users to create sequential (and equally insecure) passwords such as iH@techangingthis1, iH@techangingthis2, iH@techangingthis3, and so on. While this was recommended in the distant past, it’s no longer considered good password policy.
What’s more, don’t think that you can be smart and use passwords like 1qa@WStwitter in one place and 1qa@WSfacebook in another. If I (as a bad actor) match two or three leaked accounts, I can most likely work out your pattern and you’re still screwed. Your passwords should be entirely different from each other.
This leads us to the second habit:
2. Use a password manager
People are notoriously bad at choosing passwords. Did you know there is a Wikipedia page listing the world’s most common passwords? Oh, but you use tricky C0mb1n@tions! Sorry, that’s not good enough anymore either. In fact, we humans are really bad at picking new, good passwords. This old XKCD comic shows where we were at 9 years ago. We were bad then, but anecdotally we really haven’t got much better, while tools and computing power available to hackers in guessing weak passwords has grown massively.
“The only secure password is one you can’t remember”, says Troy Hunt. Well, it’s high time we got off our collective lazy butts and embraced long, randomised passwords. Everywhere. A different random password on every site.
“What?!?”, I hear you say, “How will I possibly remember them all?”
Don’t worry, it’s all good news: You don’t have to! Password managers do all the hard work for you. These great tools will:
- Generate a new, long, random password when you create a new account
- Store the password securely
- Automatically fill the username and password for you when you go to log in
- They will securely encrypt ALL your passwords using a single, long, safe password that you will choose. Yes, you do have to think of one secure, long password, but it’s the pretty much only one you’ll ever need to remember.
- On setup you’re given a long secure recovery code to print out and store safely in case you forget the master password
- Most password managers sync across all your devices
- Some will warn you if your accounts are in known breaches
- Some will help you through the process of upgrading old passwords to new, secure ones
- Some allow you to share passwords (eg. Netflix, Spotify with family members or web host login with co-workers)
- Some provide a way for you to grant loved ones access when you die
- … and much, much more!
Please do yourself, your family and your business a favour and get a password manager today, if you don’t already use one. With prices ranging from free to a few dollars a month, there is simply no excuse not to. Here are the top 3 contenders, 1Password is my personal favourite, but I’ve also used the LastPass free edition:
Seriously, it’s not a perfect solution, but if you’re not already using one for all your online accounts it is the single best thing you can possibly do for your online security. For a few hours of your time and a few bucks a month it’s the best security investment you’ll make this year.
On choosing a good master password, go for a phrase that’s easy to remember, hard for anyone to guess and unlikely to appear anywhere else (so avoid plain lyrics, lines of a poem, etc). Something like “That time Moffie burned her tail~~”
3. Avoid sharing credentials
I’ve been in the IT and B2B technology industry for almost 2 decades. I’ve dealt with dozens of different IT support companies – you know, the ones that business owners trust to secure their valuable digital assets – and I can probably count on one hand the number of companies I’ve dealt with who have treated passwords properly.
Sharing passwords is like sharing your toothbrush: it might be ok to share your Netflix password with your significant other, but you wouldn’t want to share with your work colleague. In particular:
- Never send any passwords via email. There are so many things that could go wrong.
- Don’t store or share passwords in a spreadsheet, text file or Word document.
- In an ideal world, passwords should be securely generated once, by the user who needs it, stored securely in a password manager, and never seen again.
- Rather than share an account between users, set up new accounts for each person who needs access
- Limit access to accounts on an “as-needed” basis
- For cases where credential sharing is needed (say in an office or home environment), use the password sharing features of your password manager to share with other users.
4. Be careful where you enter your passwords
Many phishing attacks rely on you not noticing that you’re entering credentials into an untrusted website. Remember that there are layers of trust, and if any one layer is compromised, the remaining layers can’t be trusted:
- Check the URL is correct
- Check that the page is secure
- Check that the application you’re entering the credentials into can be trusted (and isn’t a look-alike spoofed app or notification)
- Only enter your credentials on a trusted PC – so no logging into accounts on kiosks or public/shared machines
- I’m probably going to upset some people with this, but I’m calling this one out: Don’t use POLi for payments! This is a system where you are knowingly giving another company your full bank login details to allow them to log in and make a payment on your behalf. I’m sorry, but no amount of “but we’re secure!” will cut it. Don’t give your bank login to anyone, ever.
Another benefit of using a password manager is that they won’t automatically fill in your login details if the page URL is not what’s expected – so if 1Password is not automatically filling in your login details, it makes you take a step back and say, “is this legit?”
5. Keep your devices safe
If your computer or mobile device isn’t secure then even good passwords lose their edge:
- Keep computers, mobile devices and servers up to date with security patches. Critical vulnerabilities come out regularly, and if you’re behind with updates and connected to the internet then you’re vulnerable.
- Don’t forget to keep your website and third party apps updated as well
- Turn on “full disk encryption” if it’s not already on
- Mobile devices should all be locked with some form of PIN, password or biometric security
6. Use 2FA everywhere you can
Two-factor authentication (2FA), otherwise known as multi-factor authentication (MFA), two-step authentication, and various other names, is your number one protection against hacked account credentials. If you don’t have it enabled and your password is compromised, your account is toast. Don’t rely on it as the only form of authentication (ie. don’t assume that it will save you from using a weak password everywhere), it’s really your last line of defense. Some suggestions:
- Enable it on every online service you can: email, social, banking, source code repos, cloud management, websites and blogs, everything both business and personal. It’s a small price to pay for peace of mind.
- Be wary of using apps like Google Authenticator which generate authentication codes: if you lose or break your phone and can’t get back into the app, you may lose access to accounts! 1Password (and possibly other password managers) allow you to generate the codes in the app, and these codes are synced across devices as well. As an alternative, you could print and securely store the QR code that’s given to you when you set up 2FA.
- Look into using Yubikey or other hardware-based tokens for securing access to particularly high value machines or accounts.
7. Exercise “security mindfulness”
The final habit is to always be proactive, forward-thinking, and mindful of the constantly changing security landscape:
- Regularly monitor your accounts for possible breaches. Once again I’m throwing Troy Hunt’s awesome site HaveIBeenPwned out there: If you haven’t been already, go now and check every email address you’ve ever owned. What you find may surprise you.
- Register on the site and you’ll get a notification if your email address is found in a breach, and you can take proactive measures to protect yourself further.
- If you own or manage a domain name, you can register to receive notifications of breaches against any address on your domain.
- Sign up to receive notifications of blog posts from prominent security journalists. Troy Hunt and Brian Krebs are great sources of up-to-date and (usually) easy to understand information.
- Become familiar with some security jargon: you don’t have to know how things work, but understanding the difference between session hijacking and privilege escalation will help you be more mindful of your risks.
- If you’re ever in a breach, immediately change your password for that site. If that password is also used elsewhere (but you don’t do that anymore, do you?) change those passwords too.
- If breaches include more personal information, check this CERT page, consider getting a free credit check and possibly freezing your credit report.
- Take stock of all the accounts you have had in the past. Proactively go and shut down as many as you have that you no longer use. Where possible request full account deletion.
I hope this series has helped you understand the importance of good online security, and to hopefully show what that looks like. We are in a new world of threats that are constantly changing, becoming more aggressive, cunning and invasive by the day. No security is perfect security, but the key is to avoid becoming the low-hanging fruit. If you’ve even taken one thing to heart from this, it will have been worth it.
Be strong, be safe, be kind,