First – Why is this topic so important?
I think it’s worthwhile to recognize why we need to be concerned about passwords and account security. Hacking is now wildly profitable. While the numbers are not well documented some media outlets put the gross take in the many millions of dollars. It is big business now, and more exploits are coming.
Why would a russian or chinese hacking syndicate want to hack into your account? Easy. To get access to your friends.
If someone guesses your password, they get legitimate access to your email account and all of the email addresses in it. While you may not have anything at risk, your email correspondents just may. With your account they conduct a “spearphishing” exploit, sending legitimate email to every one of your contacts – your friends, family, or perhaps worse, your business associates or customers.
In an email spearphishing attack, all of your contacts receive an email from you with a link or malware attachment which, when clicked, encrypts all of their files and runs roughshod over their entire network. The hackers then require a ransom payment, and if paid, they sometimes provide the key to de-encrypt the files. Sometimes.
Are you the one at fault? Well, the email came from you. By the way, spearphishing can happen through mobile and social network accounts too.
Here are the 3 things you can do to protect you and your loved ones (and customers) from a spearphishing attack
1. Make a good password
Let’s face it. Most of us use crappy passwords. Splashdata publishes a list of popular passwords that, in this day and age, need to be seen to be believed. 123456? Really?
Passwords are hard to remember, right? The rules are to use a long, nonsense password that contains upper and lowercase, numbers, emojis, and a prime number above 157 (Just kidding. Is that a prime number?).
Given the rules of a “strong” password, how then do we craft something that does not need to be a post-it note on your monitor? The answer is to use a phrase instead of a password. A phrase, as you know, is a series of real words separated by a space that, if we do it right, is a lot longer than your normal 8 to 12 character password, is easier to remember, and is harder to crack than the complicated password. The key is the length of the password. The longer it is, the harder it is for the hacker botnet to crack.
Here is a website that will create a password phrase for you. Not every website supports a very long phrase, so you won’t be able to rely on this for everything.
Here are Google’s password recommendations.
2. Make a different password for all of your accounts
First, I’m going to make it harder, then I will make it easier. Relax.
The fact is that you may have already been hacked and you don’t know it. Your crappy password is being stored in a hacker’s vault until the day they need it. You’ve used that password everywhere, right. When they use it they can systematically decimate your Facebook account, bank, cell phone account, credit card account, healthcare accounts, and probably your Amazon account (NO! Not that!)
One of the stopgaps to a hacker is to use different passwords so that they can’t take over your entire life after having cracked just one password.
Now we have difficult passwords and we need a different one for every account! I’m going back to snail mail, right?
It’s clear that if we have good password practices, that we will need a tool to keep track of those passwords. If you use Chrome or Firefox, you can use their built in password managers to remember your passwords. You do that by creating a browser login, which will then remember your passwords while you are logged in. What you have to remember is to LOG OUT of a browser if you are using some else’s computer.
You can also install a password manager application into your browser, like LastPass. Your antivirus software probably has this password manager capability built in. These plugins will remember your passwords for you. All you have to remember is the one good password for the password manager. Totally doable.
3. Use 2 Factor Authentication
Two Factor Authentication refers to a feature that you can turn on in many of your online accounts, including Microsoft and Google accounts. You may be used to this already with your online banking account. You enter a password and they send a code to your cell phone or email account that you also have to enter to log in.
2 Factor Authentication will provide another difficult hurdle for hackers to overcome. It isn’t foolproof, but it’s a lot better than your crappy password. You may decide to continue using your crappy password, but if you really need to do that, use 2 Factor.
Here are some useful links to articles that describe 2 Factor Authentication as well as the links to the major service providers 2 Factor Authentication pages:
4. Be aware
If you implement one or 2 of these measures, you will be much better off than those clueless friends of yours that are still using “password” for their password. It will be much less likely that YOUR account will be hacked. But theirs?
That means that you – the person with the great passwords, different for every account, using 2 factor authentication – will only be involved in a spear phishing attack as a recipient of the spear phishing message that was sent out of a friend’s account – that friend with a crappy password.
The last rule is to be aware, be very aware, of the messages that can contain the malware that can cause problems. Many of them are now in Word documents – those with macros that execute when you open them. It could be a zip file or a simple link. In most cases you can tell if it not kosher. I couldn’t possibly identify all possible attacks.
There are other measures that you can take to protect yourself or your company from an attack, many having to do with additional technology or software. Suffice it to say that common sense is the best protection, but in the age where malware is a profitable venture, common sense is a moving target.