A common strategy of hackers, especially new, young or even unimaginative hackers, is to scour the “Dark Web” for password lists. These are lists of user accounts and passwords that more enterprising hackers get ahold of and then post online for sale. Someone will buy that list, then blanket the email addresses with scary emails that say things like “if you don’t pay me 2 bitcoin, then I’ll hack the following account…” and then they’ll proceed to include your specific email address and that account password, just to show you that they’re serious. That’s extortion, plain and simple.
Then there are the flat-out wide-scale breaches that we’ve seen with Equifax and, a few years ago, Sony Pictures. In cases like these, personal information was gleaned from databases and even Office documents that was used to expose personal data about Sony executives, movie stars and, in the Equifax case, public citizens. Something as simple as keeping an Excel spreadsheet of all of your account information, while convenient, can also be very costly.
Therefore, we wanted to lay out some password strategies that could help protect online accounts, email addresses, network access and more and at least mitigate the potential for any of these things to be compromised.
Password Strength and Strategy
This point is belabored across the internet, but it’s still worth mentioning first: the stronger your password, the less likely you are to be compromised. Sure, it’s tough to remember a long, difficult password, but that’s the point: it’s hard for you to remember and it’s hard for someone else to guess or crack using brute force methods. (I.e., using a computer or multiple computers to algorithmically keep trying different combinations of letters, numbers and special characters to try and figure out your password.)
There are any number of tips and tricks out there to help you generate a password, such as using a sentence as the basis for your password. Something like “My first car was an Aston Martin DB 10” could turn into the password “M1stCwaAMdB10!”.
Another, perhaps more beneficial strategy is to use a common prefix for your passwords that uses case sensitivity, numbers and special characters, then some account- or company-specific suffix that also includes those same features. For example, your prefix could be “Fri14@”. Then, when signing up for something like an account at Grainger.com, you’d add “Gr41n!” to the end. That gives you a password of “Fri14@Gr41n!”, a 12 character password that combines upper and lower case letters, numbers and some special characters. If you make your prefix stronger, you can maybe be a bit less mysterious with your suffix as well, so Gr41n! becomes “GRaingr!” instead.
Regardless of what trick you use, a long, strong password that mixes in upper- and lowercase letters, numbers and special characters – whenever allowed – is a wise course of action. Then, of course, is the issue of remembering that password. Well, there ARE solutions for that as well!
Services such as LastPass, 1Password and more offer you the ability to store passwords that are retrievable via a mobile device or via a plug-in for your favorite browser. Generally, these services have a price, either a one-time price or an ongoing monthly cost, but in the long run they’re well worth it.
In addition to storing passwords, most have additional features you can use that are also beneficial. These features include things like online or app-based password generators, the ability to group and share passwords with others, and much more.
However, the major benefit is that they take the “memory” part out of having good, strong and secure passwords. You don’t have to remember them as the service stores them and allows you to retrieve, and use them, whenever you need to.
Of course, there’s always questions like “What if LastPass gets hacked? What then?!”
Well, the short answer is: Nothing.
Services like LastPass actually encrypt everything around your accounts, account information and passwords, from the login you use with their browser plug-ins to the data on LastPass systems. In fact, LastPass employees can’t even see any of your data. This is from LastPass’s support FAQ:
“LastPass encrypts your Vault before it goes to the server using 256-bit AES encryption. Since the Vault is already encrypted before it leaves your computer and reaches the LastPass server, not even LastPass employees can see your sensitive data!”
That means that every interaction you have between you and LastPass is totally safe, secure and encrypted.
2 Factor Authentication (2FA) and Single Sign On (SSO)
2FA and SSO are two things that are talked about a lot, and while they seem “buzz worthy” in terms of their names, they’re very simple and effective ways to help secure online accounts.
2FA is just what the name implies: a second way to authenticate yourself when you log in to an online service. For example, after you log in to an account, the service may send you a text message, or an email, with a code you must input prior to completing your login. The idea here is that there’s a second way for the service to tell you are who you’re claiming to be.
SSO is also just as the name implies: a single username and password combination that can be used across multiple different products or services. The idea here is that you use a single account – like your Facebook, Twitter or Google account – as the main method of authenticating yourself. Of course, password strength and password management come into play here as you ARE using ONE account to log in to many services, so that ONE account MUST be secured.
Finally, there’s identity management solutions. These are generally more useful in home or business networking scenarios versus using online accounts. Identity Management is just that: there is a system in place, such as Microsoft Active Directory (AD), that is the “issuer of record” for your access to the network. That means your AD account is the only way to access a system, and that AD account is generally managed by someone other than you. For example, your handy, helpful IT team.
Regardless of which of the above steps you take to securing your online and local accounts, the key takeaway is that no one, be they a single individual or a Fortune 100 company, is immune to online attacks. There are even those in our own industry who are susceptible to a mis-typed letter or a lost cell phone. However, that doesn’t mean you can ignore proper security methods and just wait for the inevitable. Using one or more of the systems mentioned above puts you ahead of the curve and can go a long way to at least limiting the likelihood of something happening to your accounts and your data.