Use Complex Passwords Across Multiple Websites and Applications
The majority of companies and websites have been breached. The most recent being Yahoo where over 1 billion accounts were compromised. These attacks result in accounts, and often passwords, being sold on the black market for reuse by criminals. If you use the same passwords across different accounts, you risk multiple personal accounts being compromised when one site is hacked. When your information is stolen (or bought) on the black market to access one site, it can then be used on another site where you may have used the same credentials.
The use of complex passwords is important because it takes longer for an attacker to decrypt or compromise. Most often passwords are stored in an encrypted manner, so when the information is acquired it must then be decrypted. The longer and more complex the password, the longer this process takes. If I am an attacker and I recently purchased or acquired a large number of passwords, I am going to go with the ones that crack first. Chances are these are the people that also use the same passwords across multiple sites.
Finally, the Yahoo breach was extremely troublesome because of password reset functionality on most sites. For example, if you had a Yahoo email address and used that email address for other websites as your username or primary contact method, this enables an attacker to use reset password functionality to have a reset link sent to the compromised account they control.
Tips For a Healthy and Secure Account Management Habits
1. Assess the websites and applications you visit (and those on your phone) in which you have a username and password.
On any sites where you use the same passwords, be sure to change the password so you have a unique password for each site.
Ensure you use complex passwords that are unique per site for each website you have an account with.
Whenever possible, try to use your cell phone as an authentication measure for password resets or changes instead of a primary or secondary email address. This technique, which is becoming more common on many sites, can greatly enhance the security of your accounts by adding another layer of authentication.
2. The tasks identified above can be simplified by using a password manager. These solutions install applications on your phone and as add-ins in the browsers that manage account access for surfing the Internet. These solutions can:
- Automatically inventory all the applications in which you have accounts and measure the strength of your passwords.
- Create new complex passwords for you whenever you need them.
- Manage the logins to all your websites in an automated fashion.
3. Below are some links to password management related articles that talk about various password managers. I personally like and use LastPass for password management. However, as you read about LastPass you may see some bad press as it was a hacked a while back. It might seem unbelievable that I would still recommend it, but keep in mind that in my travels almost all companies, websites, and applications have been hacked, so I do not use this as a limiter in my selection process if there is good functionality.
Here are the links:
- http://bestfreekeys.com/best-password-manager/
- http://www.csoonline.com/article/2877613/identity-access/top-password-managers-compared.html
4. Need more help or have questions? Send me an email at mike.gentile@cisoshare.com or @mikegentile03 and either myself or someone from my team will help you.