Famously, according to the New Yorker cartoon: ‘On the Internet, nobody knows you’re a dog.’ However, today in the wake of numerous breaches, it may seem like everyone may know everything about you. The reality, naturally, is somewhere in between. As we enter another National Cybersecurity Awareness month, key information – your identity, your passwords, and your access have become more important than ever. Especially for those in roles with additional system privileges like system administrators, access to your account is an important target for many kinds of adversaries. When you think about it, everyone has some level of important access. For individuals that may be access to their bank accounts, email, or other personal and business accounts. We see interest in these access points all the time surrounding celebrity hacks, and we also see it when hackers aim at companies. The more you are in the public eye, the more you become a target.
However, this does not mean there is no hope in sight.
For 2017’s National Cybersecurity Awareness month, there’s been an important change. Recently, the National Institute of Standards and Technology (NIST) updated and revised its guidance on passwords. Gone, finally, are the recommendations to pick hard to guess passwords like $9Ewe0&v. These passwords can be easy to crack with offline tools. Worse, those often devolved to Pa$$W0rd, Il0v34ou, or similar variations. For every breach of passwords that’s been analyzed, the most popular password in the database was a simple variation of ‘password’.
When you look at the breaches of the last couple of years, many have started with software that gained access to a User ID and Password that were then used to do something harmful. From global banking hacks to global malware attacks, adversaries have harvested passwords to do harm to both individuals and enterprises alike. Three changes would have stopped, or significantly reduced the damage from these attacks.
- First, users need to be able to select and manage long passwords – without being forced to choose numbers and special characters (although choosing them remains a great idea). Instead, passwords longer than 16 characters, but easy to remember should be used. An Ideal password might be a book or movie title, a favorite character or something else. Even better, pick 4 or 5 words randomly. Nearly 20 years after leaving a government organization, I can still remember the passphrase I used for one system: ‘ApplaudGerberBorealisPreacher’. Any site that won’t let you pick this kind of very long password hasn’t caught up to the reality of security today.
- Second, critical systems should be using some kind of multi-factor authentication. Most often we find these implemented by sending a little code to your phone which you then type into the website. These force the adversary to specifically target you, and require real work to overcome. You should be setting up two-factor or multi-factor authentication on any site that will let you. Especially think about any site protecting money, embarrassing photos, or where someone could pretend to be you and create job or relationship problems.
- Third, systems should let you know when you’ve logged in recently. Any review of logs, including simply sending you an email or text when you successfully log on can help identify adversary activity. When you get a note thanking you for logging on – and you didn’t log on – it’s an instant flag to go change your password and ask the company for help.
Choosing passphrases over passwords, and asking sites to support both passphrases and multi-factor authentication will go a long way toward reducing breaches in your personal life and letting you control more about who knows your information on the Internet.