Tuesday, November 27, 2012

Password Security and Protecting Yourself Online

There is a 14 year old right now in their parents' basement on a computer. They don’t know your password, but with a little time and ingenuity they could get into your email account. Once they’re in your email account, it’s just a matter of time before they’re in your Amazon, Netflix, bank, and even Paypal. Heck, even public figures have learned the hard way that password reminder tools can hurt just as much as they can help.

That password that stands between you and chaos, can be a string of six alphanumerics or if you’re a real overachiever it might be 16 characters and substitute a $ for an S. Ohhhh, tricky.

The thing is, that pa5$w0rd helps spread a false perception that your online data is secure. These days, accounts are daisy chained together for your convenience, but it’s pretty convenient for a hacker too. How many sites are setup with your email address as your username? How many other sites are setup to login with your Facebook or Twitter account? Get one and you’ve got them all, and that’s not hard to do with some of your personal information that’s publicly available and easily found online.

Hackers compromise data every day, and it doesn’t always make the headlines. For every incident of Anonymous taking down the banks and government agencies in Israel that makes national news, there are countless others that don’t. Hospitals, schools, insurance agencies, NASA. If they can get in there, your little email account is no sweat.

The move to the cloud has been a slow one, so it’s no wonder that we’ve been lulled into complacency.  In the early days of the internet, the “cloud” was barely a vapor, so your passwords could reasonably serve their purpose as their were few avenues of mayhem that a hackers could follow.

Now though, your photos, documents, money, communications... they’re all in the cloud. They’re safe from physical destruction there. A fire, flood, or hurricane can’t compromise them, but as these online accounts have blossomed, online providers have acquiesced to the user desire for convenience and have created a system riddled with vulnerability. We’ve been told that our savior here is the password, but the notion of a “strong” password is a lollypop we’re given to cover up the bitter taste of inherent weaknesses in the system.

Passwords can be guessed, stolen, cracked, lifted, and reset. Yes, people still choose terrible passwords. Yes, people recycle usernames and passwords from site to site. Yes, criminals can be tricky and make you think you’re doing one thing when you’re really doing another. And yes, the bad guys can take much more nefarious levels of tricking you. Then end result is the same though.

So what can you do? I mean, this is all pretty bleak! Short of installing a usb retina scanner or moving to the hills and going off the grid, what are your options?

There are actions you can take. There are actions you should take. And now.
1. Two factor verification. 
Some sites use multiple factors to authenticate the user at login. These can be knowledge factors (something you know like a password or PIN), inherence factors (something you are like a biometric of some sort), and possession factors (something you have like a mobile device or IT card). 
If you’re using Google Apps, you can enable 2-step verification for your domain to add that extra layer of security. Once it’s been enabled for your domain, the user selects the method for receiving their verification code on their mobile device: text message, phone call, via the Authenticator app on smartphones. 
After the initial setup, at the next login the user will enter their username and password as usual, then on a second page they will be prompted to enter their verification code from their phone. 
This two factor authentication is just the start for the Google, who is looking into other methods of verification and is vigilant at watching the patterns of your account and letting you know if anything odd happens. 
What happens if a device is lost or stolen? Google Apps supports Mobile Device Management tools, and Android devices that are registered in the Account Admin Panel can be remotely wiped if they might be compromised

2. Lie to your security questions.
Trick ‘em. What city were you born in? Where did you honeymoon? What is your mother’s maiden name? The Sea of Tranquility, Xanadu, and Mad Max. If it’s something I can look up on your Facebook page, it’s not something that should be guarding you online. Make up answers and stop being so predictable. 
3. Create a new email account. 
Make a whole new email account that isn’t tied to your name, and use it only for your password resets. If you use a password manager like LastPass, tie that to this new email account as well. The key is to NOT have all of your eggs in one basket, and to stop daisy chaining everything together. 
4. Have some password savvy. 
Substituting numbers for letter is sooooo 2010.  Most hacking tools have these built into their tools now, so stop it. But don’t use dictionary words either, unless you’re using a string of them. Simplicity, length, and variance are all factors to consider when you’re choosing passwords. 
5. Erase the loose ends.
Head over to spokeo.com and search for yourself.
Freaked out yet? It’s easy to hop on sites like Spokeo, Pipl, or Whitepages and find out the basics to start an attack, but it’s also simple to preemptively go on those sites and have your listing removed. Do it. 
We didn’t want to bring you a bunch of doom and gloom to darken your day, but being on the cloud in this day and age means being vigilant in keeping your data as safe as you can. Luckily, if you’re using Google Apps, there are some extra measures you can easily take that will make you that much safer online.

Security training. Auditing. Two factor authorization. It can all be a little overwhelming. If you have any questions about online security tools, or how to incorporate them into your business, contact Newmind today. As always, we’re here to help.