By Neal Bellamy, IT Director at Kenton Brothers
If you’ve been following us for any length of time, you know that Kenton Brothers is all about your physical security. Today, I’d like to talk a little about a different kind of security… your digital security.
Over the past decade you should have got the message to use strong passwords. (Probably too many reminders… but are you still using the same, easy to remember password for all your accounts?)
Passwords like “JackAndJill” and “123456” are fairly easy to hack with brute force methods. Also, as more and more data breaches occur, hackers gets access to lists of usernames and passwords. So even if you did come up with the “un-hackable” password and it got leaked, it’s now compromised.
Is your password on a list somewhere?
Did you know there is a website that can show you how many times your password has been recorded in data breaches? The website is haveibeenpwned.com. You can go there to see if your email or password has shown up on hacked lists. By the way, there is no such thing as an unhackable password. Given enough time, with enough resources, any password can be cracked. It seems pretty dire, doesn’t it? However, there are even better ways to protect yourself.
One way to help protect yourself is to use stronger passwords. Better yet, use passphrases. A passphrase is generally longer than a password, which makes it harder to guess, but easier for you to remember. Think of phrases that you use around your family and work-family and use those phrases as passwords.
For example, my family is pretty sarcastic. So when talking to my daughters about getting asked out on a date, my suggested response for them is “HaHaHaYouInsignificantFool”. Throw in a couple of numbers and special characters and you’ve got an easy to remember, secure password. Just remember… not only is it important to have strong passwords, but you’ve got to change them somewhat frequently.
Password Managers: A Unique Password for Every Website
Another way to protect yourself is to use a unique password for each system or website that you use. Unfortunately, this strategy is harder to implement than it seems. I probably have 100+ unique systems and websites that I would need to remember the unique password for. My brain just doesn’t have that kind of storage. That’s where password managers come into play.
A password manager can remember the passwords for you. You just have to remember the master password for the password manager software. There are lots of options out there. Just Google “password manager” to get started. Some of the most common are LastPass, Roboform and Dashlane.
Password managers can be a little cumbersome, like when I’m browsing from my phone rather than my laptop. However, for important accounts with stored credit cards or other personal information, it’s worth the minor inconvenience.
So far, we have just been talking about passwords. An inherent weakness of a password, besides a weak password, is that they’re a single “key” you need to know to gain access to an account. Even better than a strong, unique password is to pair that password with another form of authentication.
Multi-Factor Authentication (MFA)
A lot of websites, including Facebook, Google, and Office365, allow Multi-Factor Authentication (MFA). Multi-Factor Authentication makes sure you are who you say you are by asking for an additional “key” in tandem with your password. MFA can be PIN texted to your phone, an app on your phone that has a PIN that changes every 30 seconds, or a notification on your phone that verifies asks you to confirm you’re trying to log into your account. MFA is easier to use, easier to set up, and more secure than a solitary password.
MFA can be required every time you log in, or only when you’re logging in from a new device. When you log into a site or service, you’re asked for your username and password, but then you’re asked for your second form of authentication. After your MFA is confirmed, you can use the site or service as normal. Since your phone is often the method that your MFA uses, a hacker would need to have your password and your phone to gain access to your account.
Next time you’re given the chance to provide your cell phone number for Multi-Factor Authentication, I recommend you do so! It’s easy to set up and easier to use than a password manager. It’s also more secure than using just a password. For a website that has personal information, but doesn’t have MFA, please make sure your password is unique and strong! This will go a long way towards avoiding the pain of identity theft or other challenging situations if someone were to get into your account.