Over the years I’ve been asked by many people about security both at their place of business and at home. Recently with the standards for passwords getting even stronger (at least 12 characters with special, upper, lower and number) and frequency of change even shorter, of course the end users we service are getting a bit upset.
However on the flip side, the ones that have had a security breach also want to know more about what they need to do to keep such a thing from happening to them. Usually the ones that were breached were the ones that wouldn’t keep pace with the times, meaning they had weak passwords, didn’t invest in any more advanced security measures or chose to forego minimum security recommendations because their employees were upset about the change.
I’m going to break up this series into a few parts, mainly because there is so much that can be covered. If you have any questions feel free to contact us via our “Contact Us” page under the “About” section or post your questions directly to this blog entry by making an account on our site and posting your questions.
Why is my password so important?
The weakest link in the security of your digital life is you. The second weakest link is your password.
Your password is like the key to your life. There are many ways to get into someone’s account however the two most used methods are:
Social Engineering - being tricked into giving someone your password or password reset answers.
Brute Force - software that runs common passwords, dictionary terms and other commonly used groupings to simply guess your password through trial and error.
Social engineering is easier than you many think. I’m sure you don’t think about yourself as an “easy target” however through simple conversation with someone on the bus, in a coffee shop or elsewhere, I’m sure you’ve revealed things like where you moved from, where you were born, sister’s name. All of those questions are usually used as password or account reset answers. When you think about it, guessing the password may be harder than guessing your password reset answers.
Brute force attacks are getting better and better by the day. Computers ten years ago could only guess a fraction of what a computer can do today. For instance, an article in Hackaday posts a picture of a computer with 25 graphics cards installed in it that is capable of 348 billion attempts per second. This means that if your password has a dictionary word in it with just a few numbers and a special character, your password is useless. Of course for someone to use this on your account you have to be targeted, but this goes to show how the hackers’ tools are becoming more advanced, which is why you need to step up your game as well.
So What is a Strong Password?
In all honesty, a strong password would be:
• 15 or more characters
• Upper case letters
• Lower case letters
• Special characters
• Completely random, generated for you by a computer using a special randomizer
• Completely changes every 30 or fewer days
Now we all know this isn’t feasible and passwords like that don’t belong on everything however that is the only way to keep people out, or at least slow them down.
So What Should I Do?
Think of your digital life in levels of security. There are important things, less important things but that still contain a lot of personal information and then there are the junk things you were forced to sign up for to get into.
If you break them down into sections, setting strong passwords isn’t that difficult.
Examples of Important Site Passwords
Obviously your bank account login, anything to do with money, your health care (a lot of personal information on medical records), your children or anything else that if you were to have someone access it, you’d have a heart attack over.
These accounts hold a lot of personal information, access to your financial life and the lives of your family. Surprisingly, accounts for children are an identity thief’s golden ticket. They can open up accounts in your child’s name with their social security number and it could be years before anyone realizes it. It’s not like your 10 year old son is going to be buying a house or car anytime soon. Heck they can’t even open up a credit card until they are 18.
These accounts should have super strong passwords, the ones you probably need to write down or use a password vault program to remember. These passwords should also all be different from each other because if someone cracks a password you don’t want them gaining access to the rest of your accounts as well.
Now I know online banking is a covenant thing and a lot of us do this from our cell phones on the road while we are at lunch but that’s quite literally the worst thing you can do. What I do is keep an everyday bank account that holds no more than a few hundred bucks in it and I refill from another account from time to time. This is what I use for online shopping, every day expenses and what I will allow myself to access while I’m on the road from a cell phone / Wi-Fi network that is public. My large bank accounts for my home, business and investments all have passwords on them that I literally need to look up every time I access the sites.
There should only be a select few accounts that need this level of access. A few bank accounts, investment sites and your health care sites.
Examples of Less Important Site Passwords
Social media sites, online email accounts or anything else that has personal information on it but isn’t enough to start up a loan or bank account and doesn’t give away too much information about yourself or your family / friends / work.
These sites should have stronger passwords on them that aren’t like any other passwords but can be something you can remember or is convenient for you to remember. Now again, you should still be at the 15 or more character count and you should avoid any dictionary terms if you can. What I do is use a nick name of a friend, family member or something that I know very well but isn’t in the dictionary because of spelling or some other reason. These passwords should still change over every 30 to 60 days as well.
The accounts that fall into this category are anything that if you found out that someone hacked the account you would be upset but not calling your bank to ensure you still had money.
There should only be a handful of accounts that fall into this category, making it easy to follow these rules. Social media sites, important online email accounts, family / personal accounts with sensitive information and anything that has to do with school.
Examples of Junk Site Passwords
Finally you have your login for everything else. If you think about it, this is probably 95% of all your online activity during the day. You might online bank quick in the morning or over lunch or when you get home in the evening, and you are probably accessing a site or two a week that fall into the #2 category but your everyday access to websites are usually things that fall into this category.
These passwords can be easy. 8 or more characters, can be shared among all sites if you don’t care about the contents of the account. Easily remembered dictionary words are OK here and basically you just need to meet the site’s minimum requirements to gain access.
Things like your account to an online newspaper, blogs, forums, internet communities, online games etc…
Why Should I Care, Isn’t the IT Department Responsible for Security?
In a perfect world, yes, the IT department would be the end-all / be-all of your ability to access anything personal but that’s simply not the case. As much as an IT Professional can do to keep out hackers and bad-guys, all it takes is for your password to get out and it’s all over. Every time you use a simple password for your work account, you put the whole organization at risk. Every time you use a simple password for your bank account, you put your life savings at risk.
It is up to you to be diligent in securing your digital life. Most cars aren’t sold without an alarm system anymore. Many homes now have alarm systems, remote monitoring and other things to keep people out but statistically, break-ins are at an all-time low and declining every year. Identity theft and account take-overs are at an all-time high and rising. Why would a thief add more risk when they can sit at home or somewhere out of the eyes of the public and gain access to even more than you have in your home?
In all honesty these password policies aren’t that difficult. You just need to look at it like upgrading your life. You upgrade your computer, the appliances in your house and your vehicle, it’s time you upgrade your digital security. There are many password vaults out there that you can safely store your passwords in, or if you have a safe or at least a safe spot to hide a password book you’re better off than 90% of the rest of your peers around you. We all know that a thief is going to choose the least protected person, meaning if you’re even willing to implement some of what’s written here, you’ll probably be passed by.
For those of you reading this that have substantial financial means, a business, investments, you owe it to yourself to talk to an IT Professional to have them show you the best ways to reduce your exposure. You are the one the identity thieves are after.
Come Back for Part 2 – Internet Security: All About Awareness
Our next part will be about awareness. How do you identify a suspicious email? How do you keep yourself safe when you’re out and about on public internet access? How do you know if the link you’re about to click is OK? How do you tell if your computer is compromised? Thanks for reading and please feel free to contact us about this topic or ask a question by logging into the site and posting a comment below.