If you do nothing else in 2020, resolve to clean up the mess that is your online security. Your financial health could depend on it! We give you some simple steps to level up your password and account security.
A good friend e-mailed me recently with the subject line “security stuff.” I knew what was coming: questions about how to secure online accounts, what to do about passwords, concerns about identity theft.
“Security stuff” emails are a pretty common occurrence if you work in the information security field or – like me – merely write about it. The simple fact is that there’s a massive information disequilibrium in information (aka “cyber”) security. Hundreds of millions of people are dangerously exposed to cyber risks; the number of people who are knowledgeable about the subject, on the other hand, numbers in the hundreds of thousands — or the low millions, at best, in the United States. If you’re one of those lucky few, you find yourself giving out a lot of advice.
So, with the New Year almost upon us, I’m urging all my readers to resolve to tackle the mess that is their online security in the New Year, and providing some pointers to get them started on the journey.
Think like a Corporation: focus on Risk
The types of security investments you need to make as an individual are obviously very different from the far-reaching investments your typical, 21st century corporation needs to make. Your (or your family’s) IT “environment” is far more simple: a collection of laptops, mobile phones and smart appliances and a relatively simple home network. But being small isn’t the same as being invisible. And it is too easy for people – just like corporations – to get lost in the thicket while trying to address cyber risk: giving up in despair or overlooking mundane stuff that’s easy to address.
That’s why my first piece of advice to people is to do what corporations do to cut through the thicket: focus on risk. Taking a so-called “risk based approach” to your online security means asking yourself what information and assets are the most valuable to you and that you want to protect. The firm UpGuard has a good overview of what kinds of questions typically animate cyber risk assessments here, but a risk assessment should include:
- Your personal, non-public information and that of your loved ones, including the Social Security or other national ID numbers, date of birth, health information, family photos and video, etc.
- Sensitive financial information like bank and credit card numbers, loan numbers (including mortgages), health insurance IDs,
- Sensitive accounts including e-mail, chat and social media accounts that can be used to impersonate you online and that hold personal information, online banking, brokerage and e-commerce accounts.
- Sensitive IT assets including laptop and desktop computers containing sensitive information, mobile phones, your home broadband router or gateway and connected home devices like webcams, smart television sets, DVRs and game systems and even home printers.
Make a list of the data you need to protect and where (to the best of your knowledge) it resides (including cloud services like iCloud, Google Drive, Dropbox, Amazon, etc.). Consider not just current data but archived or old data too, which might be stored on de-commissioned laptops and CPUs in your basement, on CDs and backup drives in your office – you name it.
What information matters? Really, any data (and any account holding data) that represents you. Consider accounts in which someone receiving a message from the account would think it is coming from you personally. Think of which accounts you have that are used to send and receive important information: bank statements, appointment reminders, password reset messages for accounts, etc.
The rule of thumb is: if the site holds sensitive information or can be used to move money and stocks or impersonate you, lock it down. I know this is a lot to start with. But – again – you’re just in the “thinking about your risk” phase now, and it is critical to have a big picture of where your online risks are concentrated.
Have I been pwned? Good question!
One good way to gauge your risk is to determine if any of your data has been leaked online by cyber criminals – or simply by inept custodians.
If you want to know if your data has been exposed, check out Troy Hunt’s website: haveIbeenpwned.com. Just type in your email(s) in the box provided. If your email has been caught up in a data breach, you’re at risk. If, additionally, you tend to hang on to or re-use passwords, you’re at high risk of being victimized.
Allow me to put in a plug to listen to my interview with Troy on The Security Ledger podcast! 😉
Next, tackle your Password Problem
OK – having done the important up-front work of assessing your risk exposure, the next step is to focus some energy and attention on those areas where you will get the “biggest bang for your buck,” where the “bang” is risk reduction and the “buck” is the time and money invested.
Almost without a doubt, that will come from tackling account security and the mess of weak, repetitive passwords you’re using to secure all your online accounts. Here’s the deal: account and password security is a big #&%*@! deal because:
- Essentially, every website has been hacked – whether the owners of that site know it, or not.
- Hackers don’t typically hoard the data they steal. User names (aka “email addresses”) and passwords are typically dumped on the black market (literally: they’re called “dumps”) and offered for sale – or even for free.
- This practice gives a huge, global population of both high- and low-skill hackers easy and cheap access to account credentials.
- People (like you) generally re-use passwords, so the email and password that work on Amazon.com also work at Target.com and BestBuy.com and your online bank…and your insurer’s website, etc. etc.
This underlying activity is at the root of pretty much every hack you read about – “sophisticated” or not. Credential stuffing is behind the mini-epidemic of Ring Smart Doorbell hacks that is currently making headlines. It is also why accounts for Disney’s new Disney Plus streaming service could be hacked within hours of the new services coming online.
Often, hackers will just try username and password combos from websites or applications they have hacked on sites and applications they haven’t. These are known as “credential stuffing” or “brute force” attacks. True, most companies these days don’t store user account passwords as plain text. But even if the stolen passwords are scrambled (or “hashed”) they will use so-called rainbow tables of known password hashes to match the scrambled version to a real (alphanumeric) password. In short: it’s a hot mess.
Three words: Strong. Unique. Passwords.
That’s why step one of your password makeover is to install strong (15+ characters and unique (alpha numeric with special characters) passwords for every website and/or web application you use. Don’t waste your time trying to think up these passwords yourself. Use a free, password generator like this one from LastPass, this one from Norton, or this one from Random.org. that lets you set the length and complexity of the password, then spits out the unique values. Figure out how long and complex your password can be for each site, and make it as long and strong as possible.
You probably want a Password Manager
Of course, it is very difficult (though not impossible) for humans to manage scores of long, unique values just using our minds. That’s why you will want to use a password manager.
There are lots of these on the market. I have used LastPass for many years (and not because LastPass is a Security Ledger sponsor). Like LastPass, Dashlane and Zoho Vault are cloud-based password managers as well. If you don’t trust the cloud or don’t want to store passwords there, applications like 1Passsword and Keeper are applications that will store passwords locally on your devices.
Note that you can store other useful info that you have lying around your hard drive in the password manager (which are really “sensitive information managers”) this might include software license keys, recovery codes, padlock passwords, even bank/ACH info -they can store lots of different types of information. Most password managers also have password generator features to create strong passwords to replace weak ones or when you need to rotate in new passwords for accounts.
Now use your Password Manager
Once you’ve installed one of those applications, you should really use it. That sounds obvious, but lots of people like the idea of using a password manager but never develop the habit. You need to develop the habit. Start by:
- Creating a strong passphrase for your password manager account. This is the one password you’ll have to remember, so you need it to be both long, strong and memorable – at least for you.
- Adding your important accounts including user names and passwords to your password manager. This is where your up front work identifying important web sites and applications will save you money. If you worry that you’re missing something, use your web history and your inbox to remind yourself of what sites you frequent and what sites and applications you have accounts with.
- Swapping out your old, weak and re-used passwords with unique, strong passwords. Applications like LastPass have audit features that can actually do this for you automatically, or at least identify passwords that have been compromised, are weak or are re-used between sites. Again: every website has its own requirements for how strong a password it will accept. Make yours as strong as the site will let you make it. You won’t have to remember any of these, the password manager will do that, so go LARGE.
- Not wimping out. Password managers mark a change in your day-to-day. They’re an extra step you will need to take to access accounts. Don’t be lazy. Commit to them and the security they bring.
Use Multiple Factors Everywhere
OK, so all your important applications and websites are set up with strong, unique passwords. And those passwords are stored in your password manager for safe keeping. Further, you’ve created a strong passphrase for the password manager account which makes it pretty secure.
Now go the extra step for the accounts that really matter: enabling two factor authentication for the password manager and any other high value account that permits two factor authentication. This would include social media accounts like Facebook/Instagram, LinkedIn and Twitter, online banking and e-commerce sites like Amazon.com, brokerage accounts and so on.
Two factor authentication adds a “second factor” or one time password to the process of authentication. These one time passwords can be SMS text messages to your phone – a popular approach that is becoming less reliable because of so-called SIM Swapping attacks. (Check out my podcast interview with Allison Nixon, the head of research at Flashpoint, about SIM Swapping.)
Better still: use a mobile application like Google Authenticator (more secure, not undone by SIM swapping) or LastPass Authenticator (ditto), a hard token like Yubico’s Yubikey or a biometric like Apple’s TouchID or FaceID biometric (biometric, so much more secure).
At the end of all this, you should have a strong unique passwords for every site you use. Now if a hacker gets a hold of your username (aka your email) and password they have access to exactly one website, not all your websites. Also: you’ve protected your password store with multiple layers of security.
Back it up
You’re almost there. The final steps are to make sure to back up your account and password data and to make sure you have a decent system and process for regularly backing up your critical data and systems.
Password Lists are not Evil
Having a document with your account user names and passwords is not only not a bad thing, its advisable. After all, applications crash and get corrupted. Web services suffer hacks and denial of service attacks. You need access to your important accounts, regardless. So go ahead and export your passwords from your password manager and print them out, then delete the source file from your hard drive immediately.
Store the hard copy document in a secure location like a fireproof safe, a safety deposit box or something like that. Do this periodically as passwords change and shred the old printout. You won’t regret having this in case of an emergency.
Back up your data
Just as important as securing access to your data and accounts is making secure copies of any sensitive data. If you’re an Apple Mac user, the Time Machine application comes with OS X and works well. For Windows and other systems there is are a wide range of options for doing regular backups of your data to a USB drive, network attached storage (NAS) device or cloud based repository.
Get your Digital Affairs in order
As frightening as they are, problems like hacks, ransomware and identity theft aren’t the worst things that can happen to you – not even close. That’s why – even as you lock down your personal life online – you need to make arrangements for your digital legacy. At the very least, delegate emergency access to friends, family and/or loved ones should you die or suddenly become incapacitated. At the very least, let them know where your passwords and other security keys are stored and delegate access to important financial and social media accounts to trusted partners or family so that your “digital legacy” is in order.
This is a long post, I know. But cyber threats are real -and preventable. With a modest investment of time and money you can do a lot to reduce the risk of a “bad day” online. Here’s wishing you a happy, healthy and secure 2020!