By , Joseph Carson
Published July 08, 2016
It can happen to any of us, and at this rate, it will: Massive collections of passwords from various online services are being posted online (the dark web, mostly) at an alarming rate. Due to a possibly related string of megabreaches, over 640 million passwords have been compromised.
Katy Perry and other celebrities have seen their social media accounts hacked. Lana Del Rey, Kylie Jenner and NFL Commissioner Roger Gooddell have all fallen prey to similar, and possibly related, Twitter takeovers in the last few weeks. And, while Twitter is still trying to figure out exactly how these hacks were carried out, it's pointing the finger at megabreaches some years back at companies like LinkedIn, MySpace, Tumblr and Fling.
(In an ironic twist of public comeuppance, Facebook's Mark Zuckerberg was recently outed for using the same lame password -- dadada -- so insecure it’s almost funny) on more than one social media site. His Twitter account was hacked, and he was roundly ridiculed for being so lax).
There's an obvious lesson there: Stop using -- and re-using -- the same password on multiple sites! If you’re like the average user, your password probably wasn’t secure to begin with. There's no reason to make things easier for cybercriminals by linking your online activities together with a shared vulnerability, which could take months or even years to come to light.
But, even delayed, cyber crime will likely occur. Indeed, a surprising percentage of people re-use passwords across multiple sites, so a stolen LinkedIn password may very well get you into a victim’s Twitter, Facebook, Snapchat and Google accounts.
At that point, things can get far more serious than just a few social media hacks: TeamViewer, a remote log-in application, is blaming the megabreaches previously described for a mounting number of user-account takeovers. Some have resulted in criminals accessing and emptying the users’ PayPal and bank accounts.
None of this is exactly news, especially to those in tech fields (Zuckerberg definitely knew better!) But it is human nature to take the easy way out, and having to remember secure passwords (a random jumble of 12 or more alphanumeric characters and symbols) is definitely the hard way, especially if you need to remember ten or more (the average person uses 28 distinct cloud services).
So, if you don’t want to get “pwned,” as the gamers say, but you also don’t have a photographic memory, what should you do? Here are five strategies to protect your password so it can protect you.
There's no guarantee that you’re in the clear, but sites like LeakedSource or Troy Hunt’s haveibeenpwned.com can tell you if your email is among the millions recently compromised. If it is, go change all your passwords, especially the important ones, like those for email (work and personal), banking, and social media. Hunt has done some fascinating analyses of password selection patterns, in case you’d like to understand the phenomenon on a deeper level.
In general, hackers are smarter, faster and more devious than the rest of us. That’s why U.S. businesses spend billions of dollars each year trying to keep up with them. Your “clever” six-digit password based on your login, email address, hometown, birthdate or favorite fruit can be cracked in seconds by hackers armed with widely available brute-force crackers and password dictionaries.
Per current recommendations, you should aim for an eight-to-16 character password, comprised of a mix of upper and lowercase letters, numbers and symbols. You shouldn’t use any dictionary words, common or famous names, or anything in sequence (abc, 123, qwerty). Don’t use any form of personally identifiable information someone could learn about you: family and pet names, street, car make/model or plate number, birthday, etc.
But, how will you remember them? That’s a good question, and hopefully someday soon we will come up with something more human-friendly than passwords. In the meantime, use a trusted password manager app. As a last resort, write your passwords down and hide them in a locked drawer only you can access. Whatever you do, do not store them on a sticky note on your desk, or in an unencrypted file on your computer, phone or tablet.
Here’s one good trick: Think of a phrase you won’t forget, choose the first letter of each word, and make sure to use some symbols and numbers. For example: “Facebook eats up 4 hours each day!” can become “Feu4h3d!”
Or pick a line from your favorite song, let’s say Katy Perry's: “Like a house of cards, one blow from caving in” becomes “L@h0c1bfCi”
Finally, try to incorporate good password habits into your life alongside other routines. Pick a chore you have to do every few months and add password updates to it: replacing water filters or toothbrushes, paying taxes, trimming hedges, etc. This would be a good time to check the breach databases again.
Definitely change your password(s) any time you suspect even a chance of compromise. Don’t ignore breach notifications and take immediate action as instructed. Be aware of phishing scams and be skeptical of any request for personal or financial information you receive through an email, phone call or web page. Choose to use two-factor authentication (2FA) wherever it is offered, even if that isn’t automatic and you have to opt-in. Be sure to use 2FA with your most sensitive accounts: email, banking and password managers, for example.
Oh, and did we mention . . . Don’t re-use passwords!
When it comes to protecting passwords and user credentials in workplace settings, the stakes are even higher. Enforcing the use of strong passwords should be central to every organization’s cyber security program, because access to so many services, vendors, applications, devices, databases and industrial systems is now controlled and secured via passwords.
Privileged account credentials are a favored target of hackers and are one of the most vulnerable components in an enterprise’s technology infrastructure, especially if they are not properly managed and monitored.
If hackers are able to procure even one set of semi-valuable credentials, they can worm their way throughout an entire business network, setting up malware, ransomware and APTs, to be executed at their convenience. They can even use stolen credentials from your company to access your partners’, customers’ or vendors’ networks.
Privileged account management solutions automate, monitor, and enforce password policy adherence. Components of these solutions provide self-service widgets to help users choose strong, unique passwords. Other important features include account risk assessments, comprehensive protection of privileged credentials, endpoint device and application control and automated access monitoring and recording for audit and investigative purposes.
In sum, the current state of password use and abuse is shocking and alarming. There are a lot of reasons why we should all do a better job. Our personal and work lives, and the services and products that we use every day, are increasingly dependent on connected digital technology.
Strong passwords, security awareness, and good cyber habits are among our best defenses against cybercrime. Keeping our passwords safe and strong protects our assets, our families, our communities and our workplaces. Let’s all do our part.