The beginning of a new year is a great time to take inventory of all those passwords, and change them!
Passwords are our first and sometimes only line of defense for keeping important information safe from the ruthless hackers who seek to profit from your information, regardless of how un-interesting you think you may be. Each byte of data holds a potential key to unlocking some treasure of valuable information about friends, family, school, employers, partners, customers, former contacts or even casual acquaintances. Our biggest mistake in this battle is when we underestimate the importance of smart password management. This is a long read, but if taken seriously, it can be one of the best investments of time you make all year.
Ensure you are creating STRONG passwords:
- – Whenever possible, use at least 12-16 characters ( The 8 character password is dead!) https://it.slashdot.org/story/19/02/15/0459230/8-character-windows-ntlm-passwords-can-be-cracked-in-under-25-hours
- – Include Upper case, Lower Case, Numbers, and Special Characters
- – Passphrases are ideal for memorization and tracking with hints
- Example: d0Cry4m3@rgen+na and I might remember this with a simple hint written on a note under my keyboard: “Evita”
Do not use:
- Words that can be found in a dictionary, (spelling a word incorrectly is effective).
- Publicly researchable significance (birthdays, anniversaries, kids birthdays, kids names, pets names, house numbers, phone numbers)
- Simple combos like variations on abc123, qwerty123, or password123, password abc. In general, avoid abc or 123, and be aware that “!” is the most commonly used special character.
- E-Mail for storing sensitive account and password information.
Other things to be aware of:
Don’t use the same password everywhere! It’s okay to write them down with pen & paper and keep them in a safe place (NOT stored on a phone or internet/network connected computer, and no.. taking a picture of it doesn’t make it harder to find.).
- Pro Tip: Consider using Hints and Passphrases to simplify remembering the current password as long as it’s hard for someone else to figure out what account it’s used for, just in case your hiding-spot wasn’t hidden well enough.
(example: the hint written down is ‘yummy chat’ which reminds me the password (ih8@sparagUS) is for my social media accounts).
You should have AT LEAST 6 passwords!
1) – SOCIAL – Social Media Accounts (protect your reputation; more on this below.)
2) – BANKING: Protect accounts that show how much money you have (even if you don’t keep much in the account). Knowing where you bank and when/where/how you spend can open a lot of doors for people trying to learn your routine, even if they cant take actual money using this login.
3) – SPENDING accounts: Anywhere you have saved or stored your banking, checking, credit or debit card numbers like Amazon, PayPal, or even things like your Household utility accounts (cable, power, water, etc.)
4) – IDENTITY: Dr. office logins, health insurance, retirement, or investment accounts. Department of Licensing (License XPress), accounts for loans, mortgages, or sensitive court documents, etc. (Credit Counseling, Bankruptcy, Divorce, Accountants, Taxes, Lawyers, Pharmacy, Insurance, Social Security, benefits, etc.)
5) – MEMBERSHIPS – Including grocery store discount cards, (CostCo, FredMeyer, Safeway) club cards, etc… (Ideally these types of accounts don’t have stored payment info!), generally anything that sends you snail-mail, or e-mail that you actually might open. If it tracks your shopping habits, interests, has your physical address, or names of friends & family – then it falls into this bucket. Consider also Online Games (although if you are a gamer, this might go into SPENDING or SOCIAL)
6) – E-MAIL ACCOUNTS – If you use one or more e-mail accounts for password resets. “Forgot Your Password? E-Mail me a link to reset-it” – These should be considered highly sensitive accounts. Ideally you would create a NEW e-mail account that you use EXCLUSIVELY for managing account password resets, and nothing else, ever. This reduces the chances that anyone will be able to grab that password from your day-to-day routine.
Once they know what account you might use to change your passwords, at any point they can change your passwords to lock you out of your own accounts. (They usually wont do this unless they think they’ve been (or are about to be) caught). – Any master e-mail accounts should NOT use the same password as any other account (e-mail or otherwise) they may have already compromised, so if you have multiple accounts here, either consolidate sensitive services to a dedicated “SECURE” e-mail account for password management, or maintain different highly complex passwords for each one and change them regularly.
— Secret Question tips for the “I Forgot My Password” recovery process – Please don’t use real answers to these questions. Think of these as another ‘password’… or.. do something different like, type the answer backwards. “The name of my first pet” Maybe it was DUKE… but I’d spell it DOOK… or with zero’s… D00K… or backwards… K00D. The name of my favorite teacher? Maybe that’s K00D as well. Or… “IHATEDALLOFMYTEACHERS” (although I really didn’t) as your boiler-plate answer to this question on the various sites.
The point is, don’t use real information. Assume that these people have been through your e-mail, studied your Facebook, indexed your best friends and family members computer files, e-mail, etc. Try to come up with your own unique ‘password convention’, learn it, and keep it “guess and research-proof”, but also flexible enough to survive *at least* one or two password changes each year (by changing them in a way other than incrementing 1 to 2, or the like.)
Yes, it can be painful at first… but if you invest a few hours and stick with it, it could save you hundreds of hours and thousands of dollars, not counting any value you would place on your personal and professional reputations.
— Why so many different passwords? Because stealing peoples passwords has become kids-play today. It’s so horribly easy to guess, keylog, brute-force, dump, phish, or “spear-phish” (go look that one up!) account passwords now that it’s almost a guarantee someone somewhere already knows at least one of your main passwords. The more layers of defense you maintain, the less likely someone will be able to do serious damage before you realize things are not quite right.
— The first thing you do if you suspect you’ve been owned? . . . Change Your Passwords from a computer that is not likely to be infected by malware. If your computer has been compromised, changing your passwords on that device wont help, they’ll get the new ones immediately. It’s not a bad idea to invest in a dedicated tablet, or an old crappy laptop that has been clean installed, patched, and is only ever used for changing passwords. No games, apps, or internet browsing, firewalls locked down (inbound AND outbound) and kept off the internet when not in use.
— Isn’t this a bit paranoid? Absolutely not…security consultants are getting calls every day from people who have been hacked. Once hackers get access to a sensitive account, they like to wait quietly and observe for weeks or months tracking your activities, interests, and routines for just the perfect opportunity (payday, new job, tax season, marital infedelity, etc). People are being legitimately blackmailed with their own sensitive pictures or messages to loved ones they thought were private and secure. “Give us money, or we’ll send these pictures to everyone you know.. don’t bother deleting your account, we’ve saved everything from everywhere.” — This is actively happening to thousands of people across the internet every day, ESPECIALLY to Americans, and is more serious than you can imagine.
— “Ha… let them look, I don’t have anything to hide. I don’t have anything they would be interested in.” (I hear this a lot) – What about your employer or employers network? A partner of your employer, or a client… Your friends and where they work… your school… family members. If a hacker can send a legitimate looking e-mail from your account to a person who trusts you, they’ve won. Paranoid? Nope… it’s sad this is the reality that we live in, but the bad-guys use these tactics because they are effective. The words, “I never thought it would happen to me…” are uttered all too often anymore. Keep in mind, these attacks can almost entirely be automated requiring very little human input from the hackers, so they can carry out this activity on a massive scale once they have an idea how to catch you off-guard. The odds of having your identy compromised are seriously high… one American every 6 seconds as reported by a 2017 DHS study.
— Do Not Trust that your valuable data is backed up “securely in the cloud” if you think it is. It *might* be safe from fire or a stolen phone or laptop, but it is DEFINITELY not safe from being stolen or viewed without your knowledge (unless you’ve invested heavily in learning how to lock down and closely monitor your cloud environments). It is essential to keep your sensitive and important files backed up offline to an external portable hard-drive, flash-drive, or optical archive-class media. Offline backups should always be disconnected from any computer or network unless actively backing up or restoring. Set a reminder to manually update your offline backups every few weeks. Learn how to safely and reliably encrypt those drives using BitLocker or TrueCrypt (or ask your tech-savvy friend to help you through it) to make sure someone poking around on your offline drives won’t be able to pry into things that don’t belong to them.
— Back up your encryption keys, (Print them out and file them in a safe pace!) You WILL eventually forget the password for decrypting and letting the computer “remember” the unlock key for you is worse than trying to remember it yourself..
— Avoid password-saving features built into internet browsers like Google Chrome, Firefox, Safari, Edge, etc. They’re rolling out great new features to “log into your browser so your saved passwords and bookmarks follow you anywhere you go.” – Handy, yes… but it’s also handy for your hackers. All those stored passwords and bookmarks can be exported with a script in under a second with the right exploit. Dont risk it.
— Keep your Operating Systems and 3rd party applications patched! (Yes, even you….. Linux, “IOS or Apple-Mac OSX users”… you ARE also vulnerable, despite absurd rumors to the contrary.) If Adobe Flash, Acrobat Reader, Microsoft Office, Java, and\or your anti-virus software want to “update” – this is your top priority…. just be sure to look twice and make sure that things look legitimate. If you’re not sure, take a picture or screenshot and send it to someone for a 2nd opinion before clicking “YES”. Just don’t keep clicking “no” thinking you’ll get to it later.
— Microsoft does NOT call people! Nor does it tell YOU to call them. If you get a popup with a message, sometimes a recording, telling you that your computer has been hacked and you must immediately call their tech support line. DO NOT DO IT!!!! Do NOT install any “special software” they give you. Disconnect your computer from the internet immediately, unplug your modem or router if necessary and call someone tech savvy that you know and trust.
— It IS a good idea to put a piece of tape to cover your computer webcams. (painters tape or electrical tape work great)Cover both rear and forward facing cameras for tablets and laptops. It’s not as easy as it used to be, but make no mistake, if they CAN watch you, they will. Some of these blackmail-scams are capturing teen-boys doing ‘what teen boys do’ and threatening to distribute those pictures or videos to their social media contacts. It works, and people pay, because … well… wouldn’t you?
— Even if you run 3 different anti-virus \ anti-malware services, and if none of them find anything wrong… that does not mean your computer hasn’t been compromised. There are a lot of new exploits active in the wild and this new generation of malware cannot quickly be detected or cleaned. This is especially common if you or someone you know works in an industry that may be considered a high value target in the business, finance, tech, healthcare, or public sectors. It doesn’t take much effort to modify an existing piece of malware to defeat scanners for a custom job.
— Look into setting up Multifactor Authentication (MFA) using your cell phone on your most sensitive accounts, but avoid blasting your cell phone # all over the known universe if you do. If your cell phone loses service unexpectedly in an area that it shouldn’t, and that behavior persists after a reboot, use another line to call your carrier immediately and report suspicious behavior to confirm no changes have recently been made to your account. SIM hijacking does happen, and is the weakness in using your phone for MFA. -Finally, make sure you have pin locking enabled on your phone and the storage encrypted if it isnt already… and for goodness sake, connect your phone to your computer with a USB cable and manually back up your data and pictures. I am shocked at how many people dont do this, expecting the cloud to handle it flawlessly.
— Consider a Password Management App. There are pro’s & cons to this approach, it does increase complexity but with a bit of time it can be used quite effectively. A fairly popular and highly rated app is LastPass… but there are many newcomers to the game. Do some research and make the decision that best fits your lifestyle.
— Are biometric technologies worth the premium cost? – New Phones Tablets, and computer accessories make biometrics an available option and are less expensive than ever before., When used correctly, they greatly reduce the risk of only using single-factor passwords which makes life more difficult for the bad-guys. Leveraging technologies like Windows Hello, Pin protection, MFA, and biometric fingerprint readers (*on trusted devices) will save you from having to enter your password repeatedly throughout the day, making it far more difficult to compromise your password using conventional methods..
After reading all of this, if you find yourself a bit overwhelmed and not sure where to start, you may need to engage the services of a Cyber Security consultant. Feel free to contact us for a bid or partner referral.
Questions or Comments may be directed to the author: Greg.Riggs@oshitech.com