It’s not just an issue for corporations: Naoki Hiroshima had his unique twitter handle, estimated to be worth around $50,000, compromised by a hacker exploiting PayPal’s lax treatment of confidential data.
According to a study by Google, four out of the top five security practices recommended by experts are concerned exclusively with passwords. Password security can be extremely tricky for a company or website to do correctly, and it’s estimated that 30% of websites store your passwords in plain text: not encrypted, not hashed, but just sitting in a database. The problem with this methodology is that no system is perfectly secure, and all an attacker needs is the slightest opportunity to get his foot in the door, whether it comes from SQL injection, social engineering, or simply a disgruntled employee! Even giants like LinkedIn and Sony are not immune, and once hacked data finds its way to the internet, it stay there forever. Here is a monstrously large list of stolen, leaked, phished, and otherwise unethically obtained passwords.
But let’s say you are unfortunate enough to have an account compromised, be it on Amazon, Facebook, Gmail, or even a small forum board. You find out weeks or even months later (Verizon estimates that typical data breaches go undiscovered for months), change your password on that site, maybe update your security questions, and go on your merry way. However, the problem is far from resolved. The typical criteria for a strong password—long, not based on a common word, and mixes numbers, letters, and punctuation liberally—are partially at fault. Over half of users use only five passwords for around 26 accounts, simply rotating around passwords for different sites. So when that small, unimportant account on a small forum got hacked, due to poor password management on the fault of the website, the hacker now knows your password and either your username or email address. Knowing that typical users reuse passwords and favor having similar usernames and handles on different websites, the savvy hacker can now gain access to your email, and use email based password recovery systems to infiltrate almost every aspect of your online identity. It’s even possible for an unassuming website to be actively stealing your account credentials in order to gain control of more important sites.
So what can individuals and companies change in order to prevent this domino effect?
1. Use a Password Manager
The underlying behavior at the root of the problem is password reuse. However, it’s hardly practical to expect that standard users will memorize 26 unique passwords as convoluted as:
• [email protected]*5j2#h18LQkv1
Password managers sidestep this issue by making it easy to generate and use secure, unique passwords. Typically, they store your passwords in an encrypted file, which you decrypt with a master password every time you turn on your computer. Then, they automatically enter your username and password onto any site you visit. They typically work on every operating system, including for smartphones and tablets.
Note that this procedure is actually more secure than using your browser to remember login credentials or “Keep me logged in”, as your user information is stored as encrypted data, rather than in plaintext. So if an attacker physically steals your computer, he can’t read your passwords from where the browser stores them on the hard drive as no data, including the master password, is left in the clear. Paranoid individuals may balk at the prospect of knowing a solitary master password granting a hacker access to every account, but this is the case even without a password manager! Most websites allow you to reset your login details via email, which turns your email account into a master password for every other site.
Recommended password managers:
• LastPass https://lastpass.com/
• KeePass http://keepass.info/
• 1Password https://agilebits.com/onepassword
2. Use Two-Factor Authentication (2FA)
The fundamental role of a password is to ensure that someone trying to log in to an accounts is the same person who created the account, based on private (or secret) knowledge of information. 2FA is a novel yet simple, understandable, and usable approach to this same problem based on private ownership of hardware, normally a phone. It’s also nothing new: whenever you use an ATM, you use both a PIN and a physical credit card. If you use both fingerprint and password based unlocks, that’s 2FA! According to a Google security report, two-factor authentication is the single action most highly recommended by security experts that is least considered by users.
Although mobile 2FA is mainly used only by large corporations such as banks, Google, Microsoft, Apple, and Facebook, it should be used whenever possible. Analysis of hacks on high-profile targets reveal that a significant number of breaches, spanning the IRS, Gmail, Amazon, Apple, PayPal, and Twitter, could have been completely prevented by two-factor authentication.
3. Mandate changing passwords
Many companies have passwords expire several times a year, and have rudimentary schemes in place to prevent employees from recycling old passwords. Overall, this is a solid security practice which protects against the “domino effect” caused by password reuse. More importantly, it can protect against social engineering attempts by recently fired or laid-off employees. It’s common for such employees to still have partial access to the company’s systems, as well as login credentials to servers.
This makes it all too easy for an aggravated employee to wreak havoc on his ex-employers, destroying, modifying, and stealing company secrets and data. Kevin Mitnick recommended that whenever any employee leaves, regardless of the conditions under which he left, the entire department and all of their servers change passwords. While it may appear overkill, it’s a simple inconvenience with the potential to prevent a costly public loss worth millions.