In case there are some blank entries in your
laundry list of New Year’s resolutions, we have a few tips for a bit of
cybersecurity ‘soul searching’. Here’s the first batch, looking at how you can
fix your good ol’ passwords.
Many of us entered 2019 with a boatload of
New Year’s resolutions. Doing more exercise, fixing unhealthy eating habits and
saving more money are all highly respectable goals in their own right, but
could it be that they don’t go far enough in an era with countless apps and
sites that scream for letting them help you reach your personal goals, which
apparently also implies – you guessed it – reach your New Year’s resolutions?
Now, you may want to add a few more
weighty and yet fairly effortless habits on top of those well-worn choices.
Here are a handful of tips for ‘exercises’ that will do good for your
cyber-fitness.
I won’t pass up on stubborn passwords
Passwords have a bad rap, and deservedly so:
they suffer from weaknesses, both in terms of security and convenience, that
make them a less-than-ideal method of
authentication. However, much of what the Internet offers is dependent on
your signing up for this or that online service, and the available form of
authentication almost universally happens to be the username/password
combination.
As the keys that open online accounts (not to
speak of many devices), passwords are often rightly thought of as the first –
alas, often the only – line of defense that protects your virtual and real
assets from intruders. However, passwords don’t offer much in the way of
protection unless, in the first place, they’re strong and unique to each device
and account.
But what constitutes a strong password? A
passphrase! Done right, typical passphrases are generally both more
secure and more user-friendly than typical passwords. The longer the passphrase
and the more words it packs the better, with seven words providing for a solid
start. With each extra character (not to mention words), the number of possible
combinations rises exponentially, which makes simple brute-force
password-cracking attacks far less likely to succeed, if not well-nigh
impossible (assuming, of course, that the service in question does not impose
limitations on password input length – something that is, sadly, still far too
common).
I’ll have no sympathy for the
passphrase-cracker
Another caveat is that it’s better to refrain
from phrases that have made it into the everyday lexicon. Entire books, famous
quotes, or lyrics – sing, ‘Pleased
to meet you, hope you guess my name’ as a bit of an extreme example that is
not to be taken literally – already tend to be part of the fodder of
password-cracking tools. The individual words should be in random order and,
ideally, sprinkled with special characters and character substitution, all the
while retaining a hidden meaning and memorability to its creator. For practical
guidance about creating your passphrases, you may want to refer to this short video tutorial or to this
article.
Then, of course, there is the need for each
passphrase to be distinct for each account, so that a leak of one of your
passphrases doesn’t reverberate through your other and possibly more valuable
accounts. Alas, the dangerous practice of password
recycling is ubiquitous, and attackers can exploit it hands-down with an
automated technique known as ‘credential
stuffing’.
It’s quite likely that you use too many
online accounts to remember a distinct passphrase for each of them. In which
case, it’s worth considering a reputable password vault/manager that encrypts
your password storage and takes away much of the pain that password management
involves. Of course, such a tool can also generate randomized and complex
passwords and passphrases for you.
While then you should need to remember only
one master password that, ultimately, opens all your online accounts, the
pressure will be on the sturdiness and uniqueness of this one key to your
digital kingdom – so it’s back to the suggestions above.
I won’t skip the second step
Another trouble with passwords/passphrases
may arise when they are not only the first, but actually the only line
of defense for your account security. When that barrier crumbles – commonly
through a phishing attack or by attackers somehow working out your login
details – an extra authentication factor that does not rely on ‘something you
know’ may very well foil your adversaries.
Two-factor
authentication (2FA), or multi-factor authentication (MFA), is an excellent
way of boosting the security of your accounts, especially when coupled with
hardware keys or dedicated apps, and less so with SMS-borne
2FA. Although many online services provide 2FA options, few require
its use. However, the adoption of 2FA has been on the rise and it’s never been
easier to jump on the practice. Regardless if its implementation, signing up
for 2FA wherever you can is well worth
the little extra effort, as it can help in various scenarios, including when
you never fell prey to a cyberattack compromising any of your passwords.
In fact, it’s quite probable that some of
your authentication details will be, or have already been, stolen and posted
online or made available for sale on underground marketplaces. The source of
these password leaks include the many security breaches that have blighted
online services, retailers, hotel
chains and the like. Additionally, the targeted entity may have protected
the users’ passwords with weak hashing and salting functions, or even stored
the passwords in plain text. Worse still, the service provider, let alone you,
may not know until quite a while later that hackers pilfered the often poorly
secured data, or purchased them on the dark web, so you had no shot at taking
any ad-hoc defensive measures. Again, this is also where that extra
authentication factor will usually thwart any account-takeover attempts.
In fact, go ahead and see for yourself on Have I Been Pwned? whether any of your
online accounts may have been part of a known breach. Aside from the almost 5.7
billion compromised accounts that the site indexes, it also has a cache of more
than half a billion publicly leaked
or stolen passwords in clear text that have been revealed in past breaches,
so you can check yours against the database, too.
I’ll use fewer passwords
Surely a mistake, right? Well, it may sound
counterintuitive, but fixing your passwords may also imply needing fewer of
them in the first place. More precisely, it means cutting ties with the
services you no longer use, so that you needn’t ‘look after’ your accounts with
them. We all have set up accounts that we no longer use. Indeed, we may have
racked up quite a few of them over the years, including some we barely
remember. However, the adage ‘the internet never forgets’ fits here too, and
forgetting is something you shouldn’t do, either.
The trouble with unused accounts is that each
of them – even if only a vestige of your much younger self – is a potential
source of danger. The service may suffer a breach exposing your password or may
be sold to new owners whose intentions might not exactly be honest. Or, if
miscreants take over your account, they might be able to use it to break into
one of your highly valued accounts, be it by gathering private information
about you, or through your failing to use a unique password for each account.
Or they can just as well use it to spew out spam.
But what doesn’t exist can’t be taken over,
can it? Feel no remorse: just dispatch those accounts to a better place and
never look back. There are even services that promise to scale back your online
footprint in bulk; that is, without you having to recall or comb through and
then manually shut down each inactive account. Using a service just to help
kill online accounts may not be for everybody, however, as essentially you need
to take the developers of such tools at their word.
While you’re cutting the clutter, consider
severing ties also with third-party apps and services that are associated with
your accounts on social and other major sites, especially the apps that you no
longer use. These apps, too, can be misused as other entry points for illicit
data collection or even worse. To pull the plug on their access to your account
and data, navigate to the privacy and/or security settings of your online
service(s) of choice; from there, it usually takes only a click or two.
Next up
Staying safe online isn’t going to become any
easier this year, and we’ll be back in a few days with more tips for beefing up
your personal security. Next time, we’ll focus mainly on a couple of easy ways
to boost the security of your wireless network.