Yahoo recently announced that details about nearly 500 million of its user accounts had been stolen. Similar breach announcements involving tens or hundreds of millions of user accounts are a near-daily occurrence, and there are no signs that things are getting any better. The breaches that you hear about in the news are just the tip of the iceberg. Oftentimes, companies are hacked and never realize it, let alone take action to notify their users. These sorts of cyberattacks aren’t going away, so it’s up to us to take every possible precaution to protect our own accounts and data.
During a typical day, most people interact with a tremendous number of usernames, passwords, and accounts. Your computers at home and at work should each have a login and password. Your personal email account has another password. Your work email account has yet another. Add to that list the accounts for your bank, credit cards, 401(k), and doctor’s office or health plan provider. Then there’s Facebook and LinkedIn. Many of us have an Amazon account and a Netflix account. On top of that, you should have a passcode or PIN for your smartphone. We haven’t even scratched the surface, and we’re already at a minimum of 12 separate accounts. Because our brains can handle only a finite number of difficult-to-remember passwords, most people reuse passwords in multiple places.
So what should you do to protect yourself or, at least, decrease your exposure to threats? Here are four rules to follow to limit the impact of a potential breach:
1. Never Reuse Your Passwords
The single-most-important rule of thumb is to never reuse your passwords. Eric Smith, FireOak Strategies’ chief technologist, explains:
Where people really put themselves at risk is by reusing passwords. Not all websites or companies offer the same level of protection. Financial sites—online banking, credit cards, or even your 401K—tend to have very strong security. Other sites—say, a cooking site with a recipe-of-the-week service—have vastly different security needs and will configure and run their systems accordingly. When you create your recipe site account and use the same password that you’ve used for your online banking, you are, for all practical purposes, trusting the recipe site to keep your online banking account safe. That’s not an approach that I would recommend.
2. Length Matters
There’s no question that longer passwords are safer. Smith explains:
Hackers’ tools are exceptionally sophisticated. Passwords based on common words or phrases—such as “R3dSox2016”—are embarrassingly easy to crack and offer no real protection. When users set entirely random passwords such as “dk29#1_8,” an attacker has no choice but to simply try every possible combination of letters, numbers, and symbols until they get it right. Given ample computing power, however, even a completely random eight-character password will only stand up against a modest attack for a few hours at best. Making the password longer helps tremendously; doubling the length from 8 to 16 characters results in a password that is nearly impossible to crack through brute-force methods. The problem, of course, is that very few of us can easily remember a random 16 character password.
In order to create long passwords our brains can remember, Smith suggests using full sentences. For instance, instead of using your pet’s name, use “My cat’s name is Fluffy.” “Fluffy” is a six-digit password; “My cat’s name is Fluffy.” is a 24-digit password, including spaces and punctuation. The second is nearly impossible to crack and easy to remember, and it provides excellent protection for your account.
3. Use a Password Manager
Even with longer, easy-to-remember passwords, it is still unrealistic that most of us could remember which sentence or concept is tied to which account. That’s where a password manager comes into play.
A password manager is a software tool you can use to store your passwords in an encrypted way, making it unnecessary to rely on your memory to store them for you. Instead of keeping passwords on a highly insecure spreadsheet or on Post-it notes around your desk, password managers store your login credentials. The best password managers use strong encryption to protect your data and are designed in such a way that nobody—not even employees of the password management company—can access your data.
Good password managers also promote good password hygiene by encouraging and simplifying the use of long passwords. Some also offer the ability to securely share passwords with other users. LastPass and KeePass consistently top the list of reviews. Both are effective systems, have been independently reviewed, and consistently adopt the current best practices in information security.
4. Use Multifactor Authentication
In today’s hostile environment, multifactor authentication (MFA) is the finishing touch that provides an additional and necessary level of security beyond the traditional username and password. Even if users follow the best password hygiene methods, passwords can still leak out. For example, a malware-infected computer in a hotel’s business center may be surreptitiously capturing usernames and passwords as they are typed onto keyboards.
The only protection against this sort of attack is MFA. It complements a password—something you know—with another factor. Examples include something you have in your possession, such as a smartphone or keychain token, or something physically connected to you, such as the biometric measurement of a fingerprint.
One of the most common methods of MFA in use today is text messaging. A one-time code is sent to your phone, which must be typed in along with your username and password in order to log in to a protected system. Text message-based MFA is commonly used by financial institutions as well as by work-related systems such as Salesforce and Office 365. Facebook offers this type of MFA as well.
Google offers its own authentication tool, Google Authenticator, which is based on an open standard. This allows it to be used in connection with many popular services such as WordPress, Dropbox, and Evernote, as well as Google’s own suite of services. LastPass offers its own alternative. In both of these instances, users run an app on their mobile phone or tablet that provides a unique, time-based, six-digit code for each connected service; the code changes every 60 seconds. Instead of receiving a text message with a code, users launch the authenticator app and type in the number shown along with their username and password in order to log in. These authenticator codes—whether they come from a text message or an authenticator app—work only once. Even if an attacker was able to observe your login and capture your username, password, and authenticator code, your accounts are still safe.
Many enterprise-grade options are available for organizations that are looking to apply increased security to enterprise systems; Google Authenticator and LastPass Authenticator are both available as a free download for individuals or organizations.
While adopting unique and lengthy passwords, using a password manager, and enabling MFA may seem cumbersome at first, most people indicate that it takes only a few days to adjust to the added steps—and these steps provide tremendous additional protection.
Quiz: Which of these two passwords is stronger?
Password #1: dk29#1_8
Password #2: My cat’s name is MittensWhile the first password looks stronger, the types of modern systems used by security researchers can crack a short password in just a few minutes. The second password is simpler for humans to remember (you’ve already memorized it!) and is much harder for computers to guess. The same system that cracked Password #1 in a few minutes would have to work for billions of years to crack Password #2.