Tuesday, October 15, 2013

Online Self Defense - Passwords

   Next week I'll be presenting at the Cyber Security Summit in Minneapolis.  I hope to see you there!

   It's Cyber Security Month!  And the more things change, the more they stay the same.  The key advice for online self-defense I've given in the past is just as true now.  So to help us all celebrate, I'm "re-featuring" a few articles I've run in the past.

   Last week I started a series on themes I covered in a talk entitled "Online Self-Defense".  In part 1 of that series, posted here, I talked about protecting your computer. This week we'll look at passwords.

   Passwords are a mess!  A "good" password has these features:
  • hard to create
  • hard to remember
  • hard to enter
  • probably has to be changed as soon as you memorize it
  • plus other inconsistent, random rules depending upon the site

   When you create a password for a site, it gets encrypted and then stored.  When you log in, what you  type in gets encrypted and compared to what was stored.  That means that the site doesn't know your original password.  Or it shouldn't if the site does things correctly.  But some sites don't encrypt well.  And some sites don't encrypt at all!
   Hint - when you click on the "forgot your password" link, the site shouldn't be able to return your actual password to you.  The site shouldn't know your actual password.  If it does... that's a warning sign.  Of course, if it's a site that you don't care about and doesn't hold your personal information, then maybe it's not a bit deal.  As long as you haven't used that same password on another, important site.

   There have been many highly publicized site password hacks in the past year including: eHarmony, last.fm, Dropbox, Sony, LinkedIn, Stratfor, Yahoo!, and more.  In each case, the encrypted password file was copied.  Using the entire password file and advanced computing, hackers can decrypt many of the passwords.  Then they can try those passwords on other sites!

   As I discussed in this post a few months ago, most users have accounts on 25 different sites, but use only 6.5 different passwords.  So the odds are pretty good that the hackers will find another site on which some of these passwords have been reused.

   Here are the top 3 simple things to do now:
1. Don't reuse passwords among sites - I've already explained why above

2. Choose good long passwords - 8 characters is not enough.  I try to use 20 random characters.  20 character passwords that only use upper and lower case letters are much stronger than 8 character passwords using letters, numbers and special characters! (I'll explain that one in a future post).  But, how do you remember a 20 character password?...

3. Use a password vault - a password vault is a program that encrypts and holds all your passwords.  I explain these in detail, and list some good products, in this post from a few months ago.

   Here are some bonus tips.  The first 2 are easy.  The rest are a bit more advanced, or perhaps for the more adventuresome among you.

4. Only enter passwords on secure sites or pages - Look for https:// in the address bar and a lock symbol to assure your passwords are kept confidential when traveling across the Internet.

5. Use care with "secret" questions - Many sites use “secret” questions to help identify you if you forget your password.  Choose questions and answers that people can’t just look up on Facebook!  Your place of birth, high school mascot, and other common information are not good choices.  Or… you could provide fake answers to common questions.  Just be sure you know what answers you give!

   This is a complex topic.  If you only do the first 3 (or 5) things I've listed above you will be way ahead of the crowd.  For even more protection, try some of these tips:

6. Use login notifications - Some sites will let you know when you last logged in, or if it looks like your account was logged in to from another country.  Some sites allow you to block login attempts from countries you specify.

7. Be careful "linking" accounts - Don’t just log into every site using your Facebook or Twitter logins (when available).  If either of those accounts get compromised you could lose a lot more than just the one (or two) accounts).

8. Try 2-step authentication - Google (2-step verifcation and google authenticator), ebay, paypal, dropbox, facebook and other sites now allow 2-factor or 2-step authentication.  It’s a bit more complicated to set up but definitely worth it.  Here's a great article from Lifehacker talking about some of the sites that offer this service.

9. Use separate email accounts - If you use the same email account to associate with all your online accounts, then a hacker can own you online by compromising that email account.  For instance, most online sites will send a confirmation email to your associated address if a change is made or to process a password change.  If you can use different email addresses, then having one compromised won’t affect all your other online accounts.

   This is a lot of information, but it is a complex topic (with some simple solutions).  I will write more about my thoughts on passwords and authentication in the future.

   How do you protect your passwords? What password creation tips and tricks can you share? How many of these tips do you use?

(Next time: Online Self Defense - Part 3 - Don't Click!)

No comments:

Post a Comment