During the holiday season, millions of people will unbox new phones, gadgets and electronics. Ask anyone and they will agree that technology needs to get simpler. As Henry Thoreau wrote, “Our life is frittered away by detail… Simplify, simplify”.
Complexity is a word people frown upon related to technology. Yet, technology in the area of password protection needs to get stronger and more complex to keep the bad guys out.
At a time when most devices connect to the Internet, making it harder for intruders to gain access is essential. The number one way hackers access an online account is through stolen or misused credentials, according to the annual Data Breach Investigations Report from Verizon.
The biggest concerns companies have about security breaches is their own employees, who unknowingly expose valuable company information to intruders.
To protect themselves, companies are banning employees from using portable devices like USB drives. They want them to be cautious about posting on social media sites. They discourage sharing vacation plans online or leaving “out of office” email replies on work emails.
Facebook reports that every day, imposters attempt to compromise 600,000 accounts to access messages, photos and other personal information. Thieves search the website by postal code to learn who informed their friends that they are on vacation. According to Marc Goodman,
“Vacation plans on Facebook or Twitter are like a `please rob me’ signal …Some 78% of burglars get their leads from social media.”
In many cases, the crooks target employee laptops and computers in the home, that are used to sign-on to corporate networks.
In a recent Wall Street Journal article, about 30 percent of data breaches in 2015 were caused by employee error, according to a survey published in December 2015 by the Association of Corporate Counsel. In 2014, JP Morgan experienced a cyber security breach that affected 76 million households. The investigation discovered a financial planner with the firm accessed 350,000 client data records illegally and took the information home. The firm believes Russian hackers gained access to the employee’s computer at home and posted the client information online. While no client data was compromised, cyber security specialists say that a stealing a customer social security number, an email or a phone number is an important first step for a future breach.
Here are five password management strategies to keep the bad guys out.
1. Use different passwords for accounts.
If you put all your eggs in one basket, a breach could wreak havoc to your business if you have use the same password across accounts. According to criminal-record database service Instant Checkmate, almost three out of four people use the same password for more than one site, while more than three out of five smartphones users do not use a passcode to protect their device. One third of people use the same password for every website with weak passwords like ‘12345’.
2. Use two-factor authentication
This type of verification adds another level of security to your online account. In addition to providing a regular password, the user must enter a one-time code when logging into an account or service. In most cases, a code is sent to your mobile phone as a text message. After entering a password, the user must then enter a one-time code. This service is offered by most established companies like Google, Dropbox, Apple, Evernote, Microsoft, Twitter, Linked and Facebook.
According to a TeleSign Consumer Account Security Report, published in June 2015,
“72 percent of consumers want advice on how to protect the security of their online accounts. .. 77 percent of users use a password that is one year or older.”
In August 2014, hackers attacked Apple iCloud accounts and leaked private photos for Jennifer Lawrence and other actors. Apple quickly confirmed its systems were not breached but that compromised accounts came from usernames, weak passwords and security questions.
3. Use a password manager.
Password manager programs work across platforms on any computer and device. Their primary function is to remember all passwords you use across devices, so you don’t have to. Many also generate strong passwords with a single click. The most popular password managers are DashLane, LastPass, RoboForm, StickyPassword and LogMeOnce, which charge a monthly or annual subscription fee.
4. Use HTTPS instead of HTTP whenever possible
Websites that have an https:// before the website name, add an extra security layer called SSL by encrypting your browser. It is recommended to use https:// whenever possible especially when performing banking or financial transactions online. In other words, communications sent over regular HTTP connections are in plain text and can be read by intruders that break into the connection between your browser and the website. With HTTPS, all communication is securely encrypted. Due to SSL (Secure Socket Layer), an intruder cannot decrypt data that passes between you and a website.
5. Don’t use security questions when you forget your password
Most companies ask customers to answer “security questions” when registering for an online account. When a user forgets their password, they are asked to answer a few security questions. The problem with this is approach is that many users answer easy questions like favourite food, mother’s maiden name, city of birth or favourite sport. Hackers have a reasonably good chance of guessing the right answer by monitoring your social activity. Google recommends having an alternative email address or an SMS option, instead of providing answers to security questions. Verifying a password by answering security questions should be a last resort.
While simplicity is highly desirable when we think of technology, it is an undesirable when we think about secure online accounts. Strong passwords are highly recommended with additional security measures as outlined in this article. The goal is to make it as difficult as possible for a hacker to breach an online account.