Personal Online Security Series
Part One: Password Hygiene
Personal online security series:
You don't have to have an impenetrable fortress to protect your digital assets, you just need to be more difficult to hack than your neighbor.
While that sounds pretty cutthroat, there is truth to the fact that making your personal online presence and digital assets difficult to hack is an excellent defense. Hackers will go after the least protected accounts first. If you make it difficult to hack your accounts, you're more likely to survive against attackers going for the least protected accounts.
Camber has cybersecurity experts and we work with other security firms as part of our practice assisting companies with their security needs. We thought it would be helpful to share relevant information that you can use to protect your and your family’s digital assets from the never-ending threat of having your information, money and privacy stolen.
Personal online security series part 1: Password hygiene and online password managers
It’s no revelation that passwords are critical to your online security, but by being sloppy with how you manage your passwords, you’re at a higher risk.
We all know that having strong passwords are important, but without a strategy that you actually implement and maintain, your passwords are a weakness. Excel or similar becomes the tracking tool most of us use, which is not the most secure and lacks functionality to instill good password hygiene. Specialized online password tools go beyond the basic password tracking functionality provided with most operating systems.
With a strong password strategy and the tools to implement, your passwords become formidable barriers rather than feeble speedbumps for hackers. Consider the following password fundamentals and using a password manager tool and you’ll dramatically lower your overall risk with minimal cost and effort:
Password fundamentals
Choose strong passwords: Is your standard password (PW) something easy to remember that you've used for years, something like "GoHawks!"? And worse yet, do you use it for multiple accounts? Experts agree that having a PW with at least 16 random characters with mixed alphanumeric/special characters makes programmatically cracking your password extremely difficult. Check out this site to see how long it would take to break your password with a hacker's brute force program. It takes 3 minutes to brute-force crack an 8-character password, and 1 trillion years to brute-force crack a 16-character password.) Tools make tracking these passwords easy to generate and track so you don’t have to remember them – see Password Manager below.
Use exclusive passwords: Use a different 16 alphanumeric/special char password for every account. If a hacker does somehow get one of your passwords, they will not be able to guess your PW for your other accounts.
Change your passwords periodically: As many of us have more than 200 accounts with passwords, this is not the easiest to implement but it's worth considering changing your key accounts periodically, e.g. your bank accounts. With a PW manager, this is made much easier, see next item. Many PW managers have reminders that prompt you to change your passwords based on the accounts and periodicity that you specify.
Two passcodes are better than one: Many websites and tools require not only a password but a second verification step, such as sending a code as a text message to your phone which you then must enter to access the website or app. This requires that you not only have the password but the phone with the phone number that you used when you set up the account. This can also be managed through a password authenticator tool/app rather than through text messages. See an upcoming article in our series for more info.
Passwords manager
Use an online password manager tool to track your randomly generated 16-character passwords across all your devices. While not new, these tools are underutilized and offer a lot more functionality than the basic PW tracking that comes with many operating systems, such as Apple KeyChain, which are limited to their own platform. Using sophisticated encryption, online PW managers such as Dashlane, Keeper, RoboForm, etc. automatically track your PWs as you enter them into new sites and automatically recall the passwords when you return to the site. These tools sync across all operating systems, regardless of what device you're using.
In addition to tracking and recalling your passwords, online PW managers often offer a random PW generator to use in establishing strong passwords for new sites or when changing your passwords, audit tools to assess your overall password security, and the ability to safely track non-internet passwords and information. For example, in addition to internet passwords, many PW managers can track application passwords, your children's social security numbers, safe passcodes, etc.
Using these tools, you don't have to remember lengthy, non-sensical passwords for every site, as the tool will automatically record and then populate user IDs and passwords when you return to websites. This makes using the recommended unique 16-character passwords for every site feasible. Password manager tools range from free for limited functionality to $5 per month for a full suite of password management functionality, a fantastic deal when you consider the cost of a breach of your bank accounts, etc.
Another benefit of most password manager tools is the ability to provide a secure manner of accessing your passwords for your estate executor. Most PW managers allow you to designate who has access to your passwords should something happen to you. When needed, your executor requests access and if you don’t reject the request within a period of time that you designate, e.g. 24 hours, they will be granted access. As you will have likely been using the PW manager on a day to day basis, they will have a very current list of your passwords, making it much easier on them.
PW manager security architecture: The obvious concern with a pw manager is "is great functionality, but what if my online password manager gets hacked?" This is of course a risk but imagine what a password security firm will lose if they get hacked and the lengths to which they go to secure their customers' information. Their business would fail if their security failed. The investment that they make in their security architecture is probably on a greater level than the Excel spreadsheet that you and I might otherwise use. Well-designed password tracking software will use NSA-developed security functions (e.g. PBKDF2 SHA-256 encryption) and two-factor authentication (2FA), and some offer built-in VPN capabilities. See future articles in our series on staying safe online on how to use 2FA and VPN.
You are in fact trusting another technology to protect your security, but you are trusting an expert with sophisticated security expertise, with a lot to lose if they fail.
Example scenario using PW manager:
As an example, let’s look at how “Joe” goes about implementing his new password strategy and password manager:
Joe wants to improve his passwords security and purchases on online password manager license for $4 per month. He implements his new strategy over time; as he accesses his accounts in the normal course of his day, he changes the passwords from his dog’s name to different randomly-generated 16-alphanumeric and special character passwords.
His first password change is his bank account:
He accesses his bank’s site on his computer and clicks the link to update his password.
He accesses his password manager on his computer and clicks the “Generate random password” and is provided with a password of “09abT&*q>zCB(1k%” that he copies to his clipboard.
He pastes the password into the “New password” as well as the “Re-enter your password” box and he saves.
The next time Joe logs on to his bank account, his password manager prompts him as to whether he wants to use the saved userID and PW that it recorded. He indicates that he does, and the tool populates his information.
Not only does Joe not have to remember his password, he may not even see the password ever again unless he wants to.
Joe decides to see how he’s doing on his strategy of implementing new passwords after a month of accessing his accounts and updating passwords. He uses the tool to audit all his accounts tracked so far that he’s accessed over the past month. There were many sites where he didn’t have time to change the passwords and he used his old password, and he sees that there are still many passwords that need to be changed. His overall score is “Fair,” and he decides to change a few more passwords now and others as he uses the sites. His score improves to “Good.”
After a year of updating his passwords as he accesses his online accounts, he sees that the tool has tracked 200 accounts and that his overall score is now “Excellent.” He notes that there are still a few accounts that are using either duplicate passwords or his favorite old password, however he feels that they’re low risk, so he decides to wait until he uses the site again to update rather than updating now.
Joe feels good about his password hygiene. It’s remote that a hacker will be able to guess his 16-character passwords. Should a hacker somehow find one of the passwords, for example if his local library is hacked and a hacker finds his password, the hacker will only have access to the library account. The hacker can’t try Joe’s library password at the top-10 banks to try to access Joe’s bank accounts. Joe may end up with a few library late fees he wasn’t expecting…but Joe feels much safer.
Conclusion: Password hygiene is one of the easiest ways to minimize your security risk. Implement a strategy to use unique 16-character passwords for all your accounts. Using a password tool to track your passwords provides you with more security and makes managing your passwords more efficient. Stay tuned for more ideas in our series on how you can stay safe online.
Copyrighted, all rights reserved.
