It's Cyber Security Month! And the more things change, the more they stay the same. The key advice for online self-defense I've given in the past is just as true now. So to help us all celebrate, I'm "re-featuring" a few articles I've run in the past.
Last week I started a series on themes I covered in a talk entitled "Online Self-Defense". In part 1 of that series, posted here, I talked about protecting your computer. This week we'll look at passwords.
Passwords are a mess! A "good" password has these features:
- hard to create
- hard to remember
- hard to enter
- probably has to be changed as soon as you memorize it
- plus other inconsistent, random rules depending upon the site
Perfect!
When you create a password for a site, it gets encrypted and then
stored. When you log in, what you type in gets encrypted and compared
to what was stored. That means that the site doesn't know your original
password. Or it shouldn't if the site does things correctly. But some
sites don't encrypt well. And some sites don't encrypt at all!
Hint - when you click on the "forgot your password" link, the site
shouldn't be able to return your actual password to you. The site
shouldn't know your actual password. If it does... that's a warning
sign. Of course, if it's a site that you don't care about and doesn't
hold your personal information, then maybe it's not a bit deal. As long
as you haven't used that same password on another, important site.
There have been many highly publicized site password hacks in the past year including: eHarmony, last.fm, Dropbox, Sony, LinkedIn, Stratfor, Yahoo!,
and more. In each case, the encrypted password file was copied. Using
the entire password file and advanced computing, hackers can decrypt
many of the passwords. Then they can try those passwords on other
sites!
As I discussed in this post
a few months ago, most users have accounts on 25 different sites, but
use only 6.5 different passwords. So the odds are pretty good that the
hackers will find another site on which some of these passwords have
been reused.
Here are the top 3 simple things to do now:
1. Don't reuse passwords among sites - I've already explained why above
2.
Choose good long passwords - 8 characters is not enough. I try to use
20 random characters. 20 character passwords that only use upper and
lower case letters are much stronger than 8 character passwords using
letters, numbers and special characters! (I'll explain that one in a
future post). But, how do you remember a 20 character password?...
3.
Use a password vault - a password vault is a program that encrypts and
holds all your passwords. I explain these in detail, and list some good
products, in this post from a few months ago.
Here are some bonus tips. The first 2 are easy. The rest are a bit
more advanced, or perhaps for the more adventuresome among you.
4. Only enter passwords on secure sites or pages - Look for https:// in the address bar
and a lock symbol to assure your passwords are kept confidential when traveling
across the Internet.
5. Use care with "secret" questions - Many sites use “secret” questions to
help identify you if you forget your password.
Choose questions and answers that people can’t just look up on
Facebook! Your place of birth, high
school mascot, and other common information are not good choices. Or… you could provide fake answers to common
questions. Just be sure you know what
answers you give!
This is a complex topic. If you only do the first 3 (or 5) things
I've listed above you will be way ahead of the crowd. For even more
protection, try some of these tips:
6. Use login notifications - Some sites will let you know when you
last logged in, or if it looks like your account was logged in to from another
country. Some sites allow you to block login attempts from countries you specify.
7. Be careful "linking" accounts - Don’t just log into every site using
your Facebook or Twitter logins (when available). If either of those accounts get compromised
you could lose a lot more than just the one (or two) accounts).
8. Try 2-step authentication - Google (2-step verifcation and google authenticator), ebay,
paypal, dropbox, facebook and other sites now allow 2-factor or 2-step
authentication. It’s a bit more
complicated to set up but definitely worth it. Here's a great article from Lifehacker talking about some of the sites that offer this service.
9. Use separate email accounts - If you use the same email account to
associate with all your online accounts, then a hacker can own you online by
compromising that email account. For
instance, most online sites will send a confirmation email to your associated
address if a change is made or to process a password change. If you can use different email addresses,
then having one compromised won’t affect all your other online accounts.
This is a lot of information, but it is a complex topic (with some
simple solutions). I will write more about my thoughts on passwords and
authentication in the future.
How do you protect your passwords? What password creation tips and tricks can you share? How many of these tips do you use?
(Next time: Online Self Defense - Part 3 - Don't Click!)
No comments:
Post a Comment