First, I have a few questions for you.
Have you ever lost your house keys?
Perhaps in a public place?
Maybe you even had something on that key chain that identifies you?
How did you respond to that event?
Did you immediately replace the locks on all your doors, or did you simply just get a new copy of the key made?
Maybe you were confident that the keys were lost in such a place that recovery by anyone seemed impossible to you? Perhaps you felt it unfeasible for someone to determine where you live even if they did find the keys?
Did that keychain have other keys on it?
Your car, PO-box, bike lock, gym storage locker, and office key perhaps?
Did you notify your office that a copy of their key was lost?
Did you have the PO-Box key changed?
Did you get a new bike lock?
How would your reaction change if you thought the keys you lost might be in the hands of someone who knows where you live, work, go to the gym, or where you bank?
Would you feel safe if someone had a copy of the key to your front door?
I would not.
Now, reflecting on the above questions, would you use the same key for your house, car, PO-box, bike lock, gym storage locker, and office?
I am willing to bet the answer to that question would be an emphatic “NO!”.
Let’s pretend for a moment that you had done that, though, and that every lock in your life had the same key.
How would you react to losing that key?
Would you react more strongly than if you had unique keys for each?
Why, then, do we feel indifferent with these things when it relates to passwords? Why then, with a digital “key” that can be used from anywhere in the world, do so many people ignore these commonsense issues when it comes to considering passwords?
“COUNTLESS TIMES, I’ve witnessed people reacting to a “required password change notification” by only making a slight, one-letter adjustment to the original password, leading to thematic passwords that can EASILY be guessed by a hacker trying to gain access.”
– Jesse Wallace, Optistar Senior Technology Consultant
Having worked in the IT world for well over 20 years at this point in my life, I can tell you that many people use one or two passwords for all accounts IN THEIR LIVES.
COUNTLESS TIMES, I’ve witnessed people reacting to a “required password change notification” by only making a slight, one-letter adjustment to the original password, leading to thematic passwords that can EASILY be guessed by a hacker trying to gain access.
Do you know that when a large business is hacked or when a person mistakes a phishing attempt for a genuine email and enters their password into a bogus web page, the stolen employee passwords are added to enormous databases stored on hidden websites, referred to as The Dark Web?
Criminals use these databases of passwords to find ways to make money.
Identity theft, targeted fraudulent phone calls, targeted phishing emails, bank scams – all manner of things are possible when you have a person’s password.
I would be willing to bet that one of your passwords is on one of those lists RIGHT NOW.
Care to take that wager?
If you are using the same passwords for multiple logins, then you have a target on your back.
You must make changes because it is not a matter of IF it will happen, but WHEN it will happen.
So, What Can You Do? Take These 3 Steps Today!
Complex / Unique Passwords and a Password ManagerComplex passwords are a must, no two ways about it.
It’s not enough to simply have one complicated password that you just use everywhere though, because this is just asking for trouble.
If you don’t have a good method for memorizing a number of long complex passwords, I recommend a password manager like LastPass.
A password manager will allow you to have one master password for accessing a secured and encrypted list of all your other passwords. It will allow you to generate long complex passwords for each website at the click of a button without having to memorize them all.
At Optistar, we have had very positive client feedback with regard to LastPass, and it has the added benefit of being available to consumers for use in their personal lives as well. However, a password manager should always be used in combination with this next recommendation: MFA.
2FA / MFAWhat is 2FA or MFA?
2FA and MFA stand for 2-Factor Authentication and Multi-Factor Authentication. 2-Factor Authentication is a security process requiring 2 different methods of verification to identify the user, thus the name. Multi Factor Authentication is a security process that can involve more than just two methods of verification to identify the user.
Ok, What Does All This Multi-Factor Stuff Mean?
Basically, in addition to entering your password when you login to a website or service, you are also prompted to enter a code or respond to a notification on your cell phone. This process adds an additional layer of security to the authentication process by making it more difficult for attackers to gain access to a person’s devices or online accounts since knowing the victim’s password alone is not enough to pass the authentication check.
You may already be familiar with this because your online bank requires this, or maybe your employer has this in place.
If your current employer does NOT require this for access to your company’s systems, please let me know. We offer free assessments to help guide businesses out of this type of dangerous habit.
At Optistar, we offer a solution called Duo to protect our clients. It, along with Single Sign On, allows us to secure multiple platforms, websites, and services using one user account.
We can lock out logins according to geographic restrictions, hours of the day, unfamiliar locations, and other reasons.
This has the added benefit of limiting the damage a hacker can do if they get your password, because the hacker will also need access to your cell phone in order to gain access to one of your accounts.
In your personal life, use services that offer Multi-Factor Authentication as an option. Gmail, Outlook.com, Apple, and now even aol.com offer this method to secure your account with 2FA.
If your bank doesn’t offer this as an option for web and mobile logins, I would honestly consider moving to a different bank that DOES offer this security feature.
This small, simple implementation of MFA or 2FA should be at the top of your to-do list if you’ve not set it up already. It just cannot be over-stated how often using this security option would have stopped a hacker.
Dark Web Monitoring
Earlier I mentioned that hackers get passwords from hacking into large corporations or from phishing emails where they fool people into logging into malicious facsimiles of real websites. Those passwords are compiled into lists that are kept in databases on the “Dark Web”, a network of publicly masked servers and websites that criminals use to work together.
Passwords that make it onto these lists can be found through searches. If your password is on a list in the Dark Web, I think we can both agree that it should be changed immediately.
For our corporate clients, we track this, and when a password pops up on the Dark Web, we notify the client and ensure that this password gets changed as quickly as possible.
Small Inconvenience Now To Avoid Disaster Later
I know creating and changing passwords can be inconvenient. I understand that MFA or 2FA takes a few seconds longer to use. However, if you can make these three changes I’ve recommended, you will greatly reduce your risk.
Let’s all start treating passwords like our keys that anyone in the world can use to open your front door.
Also, be sure to check out our other articles here for more information and tips re: cyber security and technology!