By now, there’s a fair chance you’ve heard about Facebook’s 2019 security breach. Specifically, the gross mishandling of personal information over the last couple years. In addition to several past breaches of security, the company had left “hundreds of millions” of usernames and passwords unencrypted in a file for some 32,000 employees to see. Not exactly Fort Knox level security.
Even if it was just internal to the company, the chances of something that potentially valuable making it out into the wild is remarkably high. As a Facebook user with a potential username and password on that list, you should be changing one or the other (or both) immediately…. I’ll wait.
Keeping in mind that Facebook is a global organization that broke one of the first tenets of security, let’s talk about passwords for a moment. In the world of IT security, passwords are the core of life. The reality is there’s very little standing in the way of gaining access to your computer or your online accounts. Passwords remain the most common defensive line of the technological world, and defensive lines aren’t always that great.
This post is part one of a two-part discussion on passwords. The makings of good habits when choosing online passwords and machine passwords are not universal. They are approached differently by those who would exploit them and should be treated as such.
In the spirit of Facebook’s many debacles, let’s begin with the online portion.
What makes for a good _online_ password?
If you consider password creation as an isolated incident, it’s not difficult to make a good password. Length plays a large factor. Lower/upper case letters, numbers, and symbols; they’re all important. You’re not the only password in town, and predictability of passwords outside of your account plays a factor. As a whole, people overwhelmingly tend to use the same passwords. Repeating them not just between accounts for work, school, online, etc., but also between people. Society has shown we are mind-numbingly un-clever when collectively choosing passwords.*
Narrowing the scope from the whole of humanity, even your personal online presence is made up of many, many accounts. These accounts span over multiple sites and chances are you’ve forgotten about many of them the same way I have. Some accounts are high-risk (banking) and some accounts are not (a message board, for example). Weirdly, the lower the risk, the bigger the problem. Those message boards aren’t invested in security the way a bank would be, and your login information is not worthless. They tend to be ignored more often when a breach does occur. If something happens and you’re notified, you might not remember the account or the email looks like spam. Facebook on the other hand, gets a ton of press when something goes wrong. The same cannot be said for muppetcrafting.com.
The importance of frequency can’t be understated. How often do you use the same password across multiple sites? How many times do you use the same username or email? Simply put, a couple passwords for multiple sites is dangerous. Especially if you’re registered under the same email… and worse yet, if you use the same email/password combination for high and low security accounts. Re: banking (high) vs. PetSmart (lower).
How One Breach Can Unravel More
Let’s pretend you have an online account at Home Depot. You just wanted home delivery of a couple screws and created a relatively minor-looking account. You heard about a breach a couple years ago and weren’t overly concerned. As soon as you got the warning email, you dutifully changed your password, and moved on with life. It’s Home Depot; There’s isn’t a credit card on file, it’s no big deal. You were right in how you dealt with it, but let’s look closer at how this breach would be exploited.
What was really exposed? Your old password, right? Yes, but also your username, which is usually an email. This username/email and password combination is a problem. If you reused that combo on a more sensitive site, all the sudden Home Depot is the least of your worries. That minor breach you spent minimal time fixing is now potentially serious, depending on how you’ve secured your accounts. Hackers use multiple techniques to do gain access to secure accounts. Password lists harvested from security breaches are low hanging fruit. They are easily-obtained, proven roadmaps to potential access for other sites.
This is a company who many consider to be in the highest-security level of their lives. Akin to banking and healthcare, Facebook plays a huge role in people’s lives, and they protect it as such. If you use different passwords for lower risk vs. higher risk sites (like many people do), then what Facebook has done is no small incident. IT security experts will tell you that your email/password combination on Facebook must be assumed as compromised. Regardless of the actual outcome, too many people had access to think otherwise.
Crossroads IT is not trying to fear monger, but we want you a bit motivated to address your situation. I know plenty of people who run the same few passwords out for everything they have online because it’s easy to remember only a couple passwords. Once it gets exposed one place, it doesn’t matter how unique it is. This practice is outdated and you can do better.
Fact is, you don’t need to remember more than a couple passwords and have every other password different. Introducing… Password Managers!
Password managers will usually do one very eponymous thing for you; manage your passwords. Companies include LastPass, Dashlane, TrueKey… there’s no shortage**. The majority of them not only securely store your passwords, but they offer to generate random passwords for each site on which you have a username.
If you’re just interested in password generation, random password generators exist independently as well. They come in various flavors. You can control length, the randomness of the characters, if you want to use common phrases, if you want to use unique phrases, and even if you want a mess of keyboard-mashing just delivered to you. They range from easily-retained to Rainman-esque.
Many of the managers also allow you to share your credentials with whomever you like. While not ideal from a security standpoint, that joint checking account is not subject to forgetfulness. This is not to mention 2-factor authentication, emergency contacts, recovery options, etc. All important features if you’re going to trust your digital life to the aether.
“What about my impossible-to-guess password?”
In my humble opinion, online accounts deserve complete and utter nonsense.
Why Nonsense? Well, the easy answer is how hackers operate when trying to deal with passwords. They can run off common passwords lists that are 10000 large. As I mentioned, the world is terrible at unique passwords and nonsense is simply not common. If you gave a hacker a list of common passwords, why wouldn’t they try those first?
Another method is called a Brute Force attack. This laborious exercise guesses every combination of characters until they get it right. With modern equipment, a password consisting of 8 alpha-numeric characters would take about 22 minutes for a computer to crack it. 16 alpha-numeric with symbols? About 204 million years.
There are other techniques for hacking passwords, but these are the most common and easiest to prevent. Anyone trying to seriously hack a password isn’t guessing about your kids or pets, this is systematic. Most of the time, the goal is to get a few successes amongst thousands of accounts. Don’t be that success.
Browsers are not Password Managers
If you have a major web browser, then you might allow it to manage your passwords. Autofill is a great thing, I know (some managers have it). I should note that while most major web-browsers do have a management function, there is a level of security you get only with a specific password manager. Most notably, managers are decentralized and contents aren’t easily referenced locally on a computer, meaning an offline computer doesn’t store your passwords the way a browser does. Due to that, password managers can’t have their entire contents unlocked with a computer login the way browsers can. Managers also make sure that if you lose your computer in a power surge, your digital life doesn’t go with it.
That’s not to say browsers are insecure, exactly. Chrome and IE are trying to do many, many things and do them well for the most part. Password managers simply work on a different level. It’s all they do, and most of them excel at it. Would you rather have a hip replacement done by GP or an Orthopedist? From personal experience, go with the Ortho.
Take a Breath
Alright! That was kind of intense, yah? Probably more than you wanted to know, but be mindful of how you protect yourself. We can definitely delve deeper, but this should be fine for general guidelines. Being the owner of a company with a public presence, I take a few more precautions than I would have before I launched. There’s way more I could do, but my risk doesn’t merit it at this point. If you feel like you’re at a higher risk of being singled out or targeted, then there’s a discussion to be had about further measures.
As always, Crossroads IT is here to answer any questions and help you and your office get secure. Passwords are the most basic of barriers and there’s plenty of other ways to keep your stuff to yourself.
Keep an eye on our blog for part 2 of this discussion where we talk about hardware passwords. Desktops, laptops, and mobile devices. Also, we’re currently editing series of posts centering around IT Security as a whole, and what you can do to help secure your small business.
Don’t want to wait to read about it? You can contact us today! We’re here to help.
* – Check out Esquire’s article (after you read this one) and you’ll see what I’m talking about.
** – Crossroads IT doesn’t endorse one over the other as they are situational. Your business or family might prefer the interface of one to the other. Maybe you like the sharing function of one offering but see no point to that in another; it’s a personal (or enterprise) decision that we’d be happy to discuss.
Copyright © 2018-2019 - Crossroads IT, L.L.C.