I should have entitled this post “How to be intrepid online” because the information I’m about to offer should make you dauntless. After reading this post, you’re going to have the tools you need to surf the web without worrying about thieves stealing your passwords.
Staying safe online is critical because the intrinsic open-nature of the web makes it a playground for hackers.
For example, somewhere between the latter half of February and early March, cyberattackers breached the user database at eBay.
The hackers exploited the logins of a small group of eBay employees and then used their elevated rights to access the corporate network and steal the following personal information from customers:
- Email addresses
- Physical Addresses
- Phone Numbers
- Encrypted Passwords
Although, eBay claims PayPal financial data wasn’t exposed, and despite the fact that the passwords were encrypted, the impact of the breach is nothing short of cataclysmic.
About 145 million eBay customers were affected by an attack which occurred over 2 months ago. Ironically, it was only detected about 2 weeks ago and then partially communicated to the public 2 days ago.
The fact that eBay waited so long to disclose a breach of such a monumental scale is about as frightening as it is appalling.
In a tweet sent yesterday afternoon, Roberts expresses his dissent with eBays half-assed treatment of the problem:
Now here’s my thing: why did eBay treat the breach as inconsequential just because financial data wasn’t exposed? This is an egregious mistake for eBay’s reputation and I imagine it will lose a large slice of its customer pie after this debacle settles.
EBay is at a crucial juncture here: the breach itself was bad but the manner in which eBay communicated it was both unprofessional and lame. In addition, eBay shouldn’t importune their beleaguered customers by asking them to reset their passwords! Hey eBay, why don’t you take on the burden and do this for the people who keep you in business?
And regarding those encrypted passwords: why is eBay touting encryption as if that’s a sufficient condition for password safety?
Every professional in Information Security is aware that hashing passwords are more secure than encrypting them. Understanding the difference is critical.
The former precludes any hackers from cracking the password and viewing it in plaintext; however, the latter – that is, encryption – is based on private keys. So if the attackers grabbed the private keys they could easily expose the plaintext passwords because encryption can be reversed, hashing cannot.
My point is that password encryption often engenders a false sense of security.
But that’s not my real gripe today.
The real reason I’m deprecating eBay is because when hackers depredate your site and run away with oodles of data that loyal customers trusted in your hands, you ought to deliver the bad news IMMEDIATELY.
Yes, eBay you’re chagrined by the breach, but by dissembling the problem you’ve inadvertently exacerbated it because now your customers don’t trust you. Stupid move. It’s always better to come clean than it is to paint over the truth.
The company was utterly delinquent in addressing a breach of abysmal proportions and therefore has lost all my respect.
That being said, I need to show you three tips to keep your passwords safe so that when another major website succumbs to a security breach you can smile with equanimity and say:
Let’s get to it:
1. Always use a unique password
Everyone is cognizant of this fact right? Using different passwords for different sites is a keen idea but how many people actually do this?
On the one hand, using the same password for different sites makes it easy for you to access your sites. I mean, no one wants to remember different passwords so when you force people to do this they often resort to insecure storage methods such as writing it down as a post-it or saving it in a text file on their computers.
Yet, on the other side of the coin, we all innately know that having unique passwords will make you infinitely more judicious than those who don’t use unique password. In fact, according to a recent study by Ofcom, about 55% of adults use the same password for most if not all their web properties.
This is the thing: I get it and I see the conundrum. There’s a tenuous balance between security and convenience and the former always seems to encroach on the latter. But fortunately password managers such as NYC based startup Dashlane and Virginia password powerhouse LastPass, offer excellent password management services that not only generate and store unique passwords for all your sites (so you don’t have to remember them) but also create secure passwords that would take eons to decrypt.
I’ve been using LastPass for a few months now and can honestly say that it has been a boon to my life. All of my previous attempts to secure my passwords were lackluster at best. I discovered I was spending an inordinate amount of time resetting, recycling and remembering passwords for dozens of sites.
The really neat thing about DashLane and LastPass is that both use world class protection schemes that are utterly indomitable.
I don’t use that word lightly: when I say indomitable I mean indomitable.
Both DashLane and Lastpass use AES 256 bit encryption which is the industry standard and is virtually unassailable. Furthermore, the encryption key isn’t stored on DashLane or Lastpasses servers so even if someone hacked LastPass or the government forced DashLane to relinquish its keys it would be futile.
I exhort you! Embrace these password managers, don’t be timorous or afraid of them – they will help you and give you peace of mind.
2. Champion two-step authentication
Two-step authentication is jargon for exasperating a hackers by making them jump through two hoops to get your password instead of just one.
Normally, we create a password for a web site but if someone steals it they score the keys to your kingdom. It’s like leaving the key under the mat of your home; one key gets the TV, Sofa and your coveted R. Kelly music collection.
With two-step authentication, you augment your password with something else such as a numeric code, a phone call or some other unique identification token.
Initially, this may sound like more work than it’s worth; however, once you set it up you’ll become conversant with the new sign-in process and it’ll make sense.
I’ve been using it with my Gmail account for a few months and I love it.
Here’s how it works:
I still sign-in to Gmail with a single password (courtesy of LastPass); however, at the genesis of the two-step authentication process, Google asked me for a one time verification code which it sent directly to my cell phone. After I entered the code into Gmail, it stored the code so now Google no longer bothers me with requests for that code.
But that’s not the best part.
The truly powerful result is that if anyone tries to sign into my Gmail account from another computer, Gmail forces that person to not only enter the correct password but also enter a unique verification code that it sends directly to my cell phone.
Password + Code = Access. No code, no access.
You need both and that’s why it’s good. Admittedly, it isn’t perfect but it’s certainly more secure than using a strong password alone.
I’ve included a few links that show you how to setup two-factor authentication with the big boys:
- Google (includes all Google properties)
I know this feels like a lot of work and you’ll be tempted to procrastinate but I have to admonish you to commit to setting up two-factor authentication on at least 5 of your most frequently used accounts this weekend.
Can you promise me that?
I’m serious, you will NOT regret the decision.
The Bottom Line
I really want to spare you the lamentable possibility of having all your personal information stolen because you used the same password across multiple sites and didn’t set up two-factor authentication.
Everyone who takes the time to implement the two suggestions I propounded in this article will be exponentially better off the next time a major data breach occurs.
From the infamous HeartBleed bug earlier this year to the eBay debacle announced yesterday, network breaches are becoming increasingly common.
But lucid users can take simple steps to avert disaster – today you’ve become one of those lucid users.
In meantime, I encourage you to check out the 2014 Data Breach Investigations Report so you can see the incident patterns and how data breaches are becoming ascendant.
Well, that’s all for now. I hope this little guide helped you in some way. If you found something interesting please share in the comments below (and get LastPass it seriously rocks!)