Passwords Again?
Over the years, PSMail has published several articles and much advice on creating strong passwords and on the benefits of
supplementing them with our two-factor authentication. So you might be asking, āWhy another article on passwords?ā
Hereās a good example on why we harp on passwords: A Wired article written by Mat Honan describes how hackers exploited one (of several) inherent weaknesses in password securityĀ to gain access to his email accounts. They deleted everything – āeight years worth of email and documentsā – and used the email account to take over his Twitter account as well. Honan says, āhackers destroyed my entire digital life in the span of an hour.ā
Was it because he used weak passwords like ā123456ā or āpasswordā? Nope. Honan used alphanumeric passwords, some with symbols thrown in for good measure. Was it because he carelessly left a list of all his account passwords lying around? Or used the same password on all his sites? Or gave someone access to his computer when he wasnāt around? Or was he the victim of a malware attack that stole his password and posted it online?
Nope. Even though all of these are legitimate weaknesses in a password only security system, Honanās accounts were hacked when someone called Apple and used some details about his life to persuade them to reset his account password. Once they had the new password, they were in. And he was finished.
Passwords are often the only line of defense between you and digital disaster, and thatās why itās important to give them due attention. By now we all know the advice thatās so frequently repeated:
- Use a password manager
- Donāt write down or share your passwords with anyone
- Use long passwords (think passphrases instead of passwords)
- Donāt use recognizable words, names, or numbers (like a birth year) in your password
- Donāt reuse passwords on more than one account
Thereās no doubt that all of these steps are essential and, further, that they go a long way to increasing your security. The problem is that increasingly even these steps are not enough. Hackers and scammers have found ways to get around even complex passwords (like the password reset strategy mentioned above) and if the password is your only line of defenseā¦ well, it may not be strong enough to bet the bank on (literally).
So, whatās to be done? HereĀ are twoĀ steps that can be taken to further strengthen your defense against attack.
- Use multi factor authentication whenever it is available. Multi factor authentication just means a second line of defense besideĀ the password; a second way for a site to validate that you are really you. One of the mostĀ common types is aĀ time based token like PSMail’s software token, Google Authenticator. It provides you with a second, random password that is only valid for a short time. This password is sent to your mobile phone and can only be used once. Other advanced multi-factor systems likeĀ fingerprint scans, facial recognition, and hardware tokens should be used when available.
- Use answers to security questions that are either bogus or difficult Ā to discover. This may seem like an odd one, but often the answers to our security questions are things that a hacker can track down via social media. Things like āCity you were born in,ā āName of a pet,ā or even āName of your best friendā may seem like a great second line of defense, but a patient hacker can often track down those answers (for example, how many of these three questions do you think would be accessible via your Facebook account?).
Different websites and organizations, from your bank to your TV service, will have different options for multi factor authentication. As mentioned, PSMail has provided the option for you to use two-factor authentication for your account in the form of a software token on your mobile phone. You can read more about it here.
The crooks will continue to evolve in their attempts to steal information fromĀ individuals and businesses and we must evolve too. Part of that evolution meansĀ not depending on a password alone for safety.
(“But what if it’s too late? What if hackers have compromised some of my key passwords?”Ā We’ll be talkingĀ about having a plan in case of compromiseĀ in our next article.)