Guess what? Last Thursday, the first Thursday in May, was World Password Day. Right? You didn’t even know it. We in the Privacy and Data Security Practice Group thought it would be a perfect opportunity to talk about the importance of the most basic, but still effective way to safeguard your accounts and data. In the early days of the internet, a simple password was all you might need to adequately protect the one or two accounts you might have had. Your desktop login, your email, and maybe some early version of social media. Password security was taken so lightly; it wasn’t unusual for passwords to be stored in a plain text file on a desktop or on a sticky note at your desk. Those days are over. Well, they should be.
Today, you have tens if not hundreds of accounts housing so much more than just your email or pictures. However, many of them are still just protected with a simple password. And we have criminals finding every possible way to get into those accounts to steal your money, your identity, and potentially harm others. Complex algorithms, known generally as “brute force attacks” are used to try out hundreds of thousands of passwords in the span of minutes or hours. A hacker who prefers the scalpel to the hatchet may use “key loggers” to lift your passwords as you type them in. More than just computer science technology experts, modern hackers have become masters of human psychology. Favorite tactics include leaving flash drives with automatically executing malware that harvest your passwords and sends them off to a hacker; sophisticated “social engineering” tactics like calling and pretending to be tech support, using high powered cameras to “shoulder surf” to collect passwords in real time, or even putting on a suit and walking into an office looking for written passwords or access to systems to introduce malware.
However, in our years of experience with incident response, the bad guys rarely need to go to these lengths to gain access. Why? Because most people use easy to guess passwords, or no password at all. Or, a user might use a password that is “weak” or comprised of just a few digits (birthdate) or letters (name of a pet). In short, no “hack” is really needed because the barrier to entry is so low.
So what to do? Keep evolving, just like the bad guys do. The first thing you should do is make sure you maintain different passwords for every login you have, at least for the most sensitive of accounts. If you like to use the same password for convenience, all it takes is one security breach and your entire life is compromised. Using common words also makes things easier on hackers, such word combinations are often cycled through first in attacks, increasing the likelihood of an attack succeeding before it can be detected. And make your passwords “strong” or complicated. An asynchronous combination of letters, numbers, and symbols is ideal. And the longer the password, the better. Longer passwords are harder to guess and take software longer to crack.
Part of your evolution, whether as a company or an individual, must include the adoption of multi-factor authentication. From our incident response work, we can confidently say at least half of those incidents from this past year would not have happened if multi-factor authentication was in place. That is not an exaggeration. Simply adding a second layer of security can stop a hacker in her tracks. If you have used two-factor identification you might feel the pain of having to enter a code, you receive as a text or call on your mobile device after you have logged in with your password. This little annoyance is actually one of the single most effective and practical weapons we can employ against the ever advancing army of darkness that is the global hacking community. By adding a layer by which a bad actor needs to have physical control of a secondary device for him to login to a given system, we can protect ourselves even in the event of a password breach. Lastly, don’t forget the importance of other technical safeguards such as emails or texts from individual systems notifying you of atypical login activity or from other devices. These notifications should always be given attention because they are often the last line of defense you have in quickly identifying and stopping someone from compromising your account(s). And, as we have shared before, always be wary of email communications to induce you or your employees to send money to the bad guys.
So, please, celebrate World Password Day this year and every year. Needless to say, it is right up there with New Year’s Eve and the 4th of July. But, likewise, please celebrate responsibly! You can do so by changing your passwords up, making them strong and unique, and adding some layers and depth through two-factor authentication. Sign up for Taft’s Privacy and Data Security Insights for more updates and information in the ever changing world of data privacy and security.