I spent way too much of a recent Saturday morning at the local department of motor vehicles. My plates were expiring and I had forgotten to take advantage of online registration.
So there I found myself at 10 a.m. waiting in line. To be fair, it was the “express” line, designated for registration renewals only. My experience, however, was less than express, thanks to the patron two spots ahead of me.
On her turn, the clerk asked for information stored in some account on her phone. She did not, however, remember the necessary password. She then removed an inch-thick flipbook of Post-it notes, each containing a login and password to a different account.
I watched her rifle through the stack. Ten minutes of life that I will never regain, with my frustration mirrored on the faces of everyone else in line.
One of the top cybersecurity tips is to maintain proper password security. Storing passwords on a notepad or stack of sticky notes does not qualify as secure. What does?
• Using passwords with differing types of characters.
• Avoiding the most common passwords (like “Pa$Sw0rD”).
• Setting a regular schedule to change passwords (although some research shows that most people use near identical passwords when forced to switch).
Four issues warrant additional discussion.
First, do not reuse the same passwords across multiple accounts. If one account is hacked, you’ve exposed every other account for which you’ve used the same password.
Recently, for example, Intuit disclosed that its TurboTax product had suffered just such an attack. The criminal accessed TurboTax user accounts by taking usernames and passwords it had stolen from a non-Intuit source to attempt TurboTax logins.
For those with which it was successful, the criminal was able to obtain sensitive tax return information. (If you want to know if one or more of your online accounts has been compromised, check out haveibeenpwned.com.)
If you are not going to reuse the same password across multiple accounts, how will you generate and remember hundreds of different and complex passwords? The answer brings us to point number two. Use a password manager.
A password manager is an online service that stores all of your passwords (encrypted on their end). All you need to do to unlock the password for any given account is to recall the lone master password you have chosen for your password manager of choice. Passwords are also synced across devices.
The top competitors offer variations on the same service. Compare and contrast pricing, what each offers and pick one. The money you spend on an annual subscription pales exponentially to what you will spend undoing the damage caused by an account compromised by a weak password.
The question I get most often regarding password managers? “Aren’t you worried about them being hacked?”
Technically yes, but functionally no. At least one has been hacked without the exposure of even a single user password because all of the stored data is highly encrypted.
If you are comparing the security of reusing passwords or using different password but storing them in a notebook or sticky-note flipbook versus a password manager, the security choice is clear.
Third, check your URLs and only input account information on sites that use HTTPS web encryption.
HTTPS provides an encrypted online session between you and whichever site you are visiting. With a non-HTTPS site, everything you send is visible to anyone on the same network. Even safer, use a Virtual Private Network, or VPN, to create a secure channel between your computer and the internet.
Finally, use two-factor authentication for any account that offers it.
Two-factor authentication, or 2FA, requires a user to input a unique code sent to a device of choice (usually by text message) any time they log in to an account from a new device. 2FA is not foolproof.
For example, it does not take much skill for even a low-level cybercriminal to steal a phone number and intercept the code. More complexly, criminals can use social engineering to ape one’s identity and trick a mobile company to send a new SIM card to the attacker, diverting all 2FA text messages to the criminal’s mobile device.
Thus, while one should not rely on 2FA as the only method to secure one’s account, it’s added layer of security certainly can’t hurt.
No one is immune from being hacked. However, taking a few simple (albeit mildly inconvenient) steps to secure your passwords and accounts will go a long way to mitigating against this very serious and costly risk.