Effectively reduce your risk of becoming a
victim of cyber crime.
Strong Passwords
& two-Factor-Authentication
Most users never realize that their data has already been stolen.
Come on, let’s do a quick test!
Head over to: haveibeenpwned.com/
and type in your email address.
And?
Did you get pwned’?
(That means your account has been involved in a reported data breach!)
I did 5 times. How bad was it for you?
I was really interested in that question and started a random search with some email addresses of people I know. Friends. Clients. More than half had already somehow been affected. So don’t forget to whip out this website with some of your friends, or try your spouse’s email. It’s going to be fun!
I mean, honestly, this list of all the websites and services that had breaches is already way too long. I couldn’t even read it all. Just “fly” over it and you will be amazed to see all the familiar names on the list. Since this article is going to be diving in deeper about this topic we should check out the content’s first.
Content of this Article
- Why does my password matter?
- Why do we even use passwords?
- What are the worst password mistakes you can make?
- Do not use an easy password.
- Do not use the same password.
- Do not use a text file on your computer to store your passwords.
- Should I change my password?
- Please, please start using Two Factor Authentication!
- How can you better protect yourself?
- What kind of two factor authentication can I use?
- How many email accounts should I have?
- The Password Vault
- The Password Card
- How to use the password card
- Personal Password Algorithm
- Example: How to use the personal password algorithm to log in to Linkedin
- Diversify your email accounts
- Will we ever change?
- Summary
Why does my password matter?
Nothing is safe. Not even all those tips that I am going to list. They can only increase your
security to a better level.
And even though I say that, you should really pay a little bit more attention to your digital safety.
If you don’t believe me, just take a look at the FBI’s most wanted list for cyber crimes.
Besides the actors that were involved in the hack of members of the Democratic Party prior to
the election in 2016, the top ten wanted hackers have stolen more than 78 million sets of data
including SSN’s and health records.
They were spying on behalf of another country; robbed at least 56 million dollars and also stole over 100,000 data sets of Navy personnel.
And that is really just the tip of the growing iceberg. The number of breached data sets is projected to triple every year over the next five years.
Think about what you would do if you realized today, that any of these things had actually happened:
- Your cash app was drained by strangers
- your photo cloud was accessed
- your business data is frozen or
- your customer data was stolen.
“A new report by Juniper Research found that over 33 billion records will be stolen by cyber criminals in 2023 alone, an increase of 175% over the 12 billion records expected to be compromised in 2018, resulting in a cumulative loss of over 146 billion records for the whole period.” (Source)
And since the US is home to most of the tech giants like google, facebook and amazon, about 50% of those breaches will happen to data stored in the USA!
It’s not big in the news at all, but check this list of 21 cyber breaches in 2018 with the top hack getting into over 1.1 billion sets of data!
The ID database of the Indian government was hacked and 1.1 billion sets of data were stolen. (Source)
(That’s 1,000,000,000)
You can not influence whether or not the software you use or an app that you have installed might open up a backdoor into your system. But you can be more cautious about what kind of apps you install and who the author is.
And even the most trusted software developers like Microsoft have a pretty stable track record of leaving gaps wide open. So instead of looking at this in anxiety mode we should rather shift the view to what is easy and doable.
Most passwords are like a seatbelt that is not clicked in. It looks like you are safe until you are hitting the wall.
During my work as a developer, I come across a lot of passwords and they are either totally random passwords (generally “a strong password”) or some combination of a dog’s name and a house number or birthday.
The simplest of all break-in methods is automated: trying to guess your password. A list of the most used passwords is run automatically by a script.
Now add some “artificial intelligence” into the equation and a script can read your social profiles to find your dogs’ name and make it a variable in the break-in.
I hope this makes you realize, that you have a lot of control with the choice of your passwords.
Why do we even use passwords?
It seems somewhat paradoxical that the password is mistreated in such a bad way these days. I believe people are just annoyed by it. Maybe the most “real” threats to the access of an account are people belonging to a person’s direct surroundings.
When setting a password, who do you invision keeping out of your account?
Your co-workers or family members; nosy people that would read your third grade diary?
The threat to their accounts is too abstract for most people.
We have to make ourselves aware that the password is there to literally keep out a herd of hacking zombies!
Password bots are just like a herd of zombies coming towards your farm; they are programmed to come after you and can infect others. They will relentlessly keep trying to feast on you.
So you better put a better lock on your door!
You are a target. Services you use are under attack every day.
Data is traded like a commodity on the “darknet.”
If your email showed up on any of those lists above it is very likely that it has been traded as well.
Even data that has been stolen years ago can become relevant today if hackers start to use it. Most “darknet” marketplaces have come to public attention with mostly drug-related news. However, they are also used to trade any kind of personal information:
● Credit Card data
● Social Security Numbers
● Email accounts
● Lists with the most used passwords
● Lists with stolen passwords
If it’s data, it might be of interest to somebody. Many hackers are specialized in just about any aspect of the crimes they commit. You know that from any good action movie; the team of bank robbers has to find a “specialist” to open the safe. Instead of trying to hack all 77 million users themselves, the hackers can split up the data and sell it off in bundles. And even petty data can be interesting. Credit card data, social security numbers and other information are a commodity and often go in bulk. So, relatively speaking, you are just a number in a spreadsheet. A fraudster, who orders on ebay with stolen credit card information doesn’t need the capabilities of hacking somebody. All they have to do is buy a good data set and use the card in accordance with the credit limit. If they act carefully, your credit card company might not notice anything until you wonder
about all those charges on your bill.
Cyber crimes have different methods: Just as some bank robbers walk straight into the bank
with their weapons drawn, others prefer to silently dig a tunnel to get to the diamonds.
Ransomware is becoming increasingly popular with hackers and can leave
businesses crippled and smaller businesses often fail to recover.
In fact all cyber crimes are becoming more frequent as online technology has become a part of our lives and is expanding into every little thing.
Did you ever consider that your alexa enabled wifi LED lights are a security risk? They could be used as an entrance to your personal wifi router or linked together to form some kind of “supercomputer” and abuse its power for malicious activity.
Let’s get into a worst case scenario: your LED light bulb can become a part of an attack on critical infrastructure like the electric power grid, a hospital or soon a self-driving car.
Cost has always been a driver of technology and their distribution throughout the country. You don’t even know where your LED light bulb has been assembled or who has written its code.
The number of connected devices in the average household is increasing. Consider using a second router just for your IoT devices and keep your private wifi separate. Although it sounds excessive, you should even consider adding a separate Internet
connection.
What are the worst password mistakes you can make?
Do not use an easy password.
A password is not supposed to be easy. A password is supposed to be secure. An easy password is like the heart-shaped lock on your third grade diary. Even a third grader might be able to pick it. It’s best to rely on random passwords. Just use a password generator for convenience.
Do not use the same password.
It is not good to use the same password because hackers can cross reference it with the most commonly used social networks, business platforms like microsoft365 and email providers.
It’s the same reason you don’t use your car keys to enter your house or your house keys to enter your bank safety deposit box.
Do not include personal details in your password.
If it’s something easy for you to remember there is a chance your social profiles give clues
about it. Birthdays and addresses are a big NO NO!
Do not use a text file on your computer to store your passwords.
It’s a simple thought and a golden ticket for every hacker: finding a file on your computer that contains your passwords. It also makes it too easy to print the same file and keep an open list with passwords on your desk. (An easy find for any burglar.) NO NO NO!
Should I change my password?
You have to change your password when you are currently using an easy to remember password. That is generally an indication of a weak password and should be changed to a stronger password.
You don’t have to change your password on a regular basis.
If you think you have been hacked, even if you think something is not right, you should definitely change your passwords. Starting with your email password and including the password for the service you believe might be compromised.
The best option would be to use a different device and a different internet connection to do so. That’s a good thing to do because at this point your own internet connection or network might be infected or compromised as well.
The overwhelming majority of cyber crimes can be prevented by a few easy rules of conduct.
How can you better protect yourself?
Now you are asking the right questions. With all the data of stolen passwords you might have asked yourself: Why bother with a strong password when my password can get stolen, too?
And that’s right. Strong passwords alone can only offer a certain level of protection.
It’s like with all things in life: If you want it to be secure you should use multiple layers.
And voilà: Two Factor or “2-Factor” Authentication adds another step to the regular password login process.
Please, please start using Two Factor Authentication!
If you were to only improve one thing: start with your email account and enable 2-factor identification on all your email accounts.
You use your email account to recover all other accounts that you use around the Internet and it is also your personal hub of correspondence, making it the perfect place to find out who you are.
Currently, there are a variety of two factor authentication methods out there.
What kind of two factor authentication can I use?
- Single Use Passwords
- Time-based One Time Passwords
- Text Messages with verification codes
- Emails with verification codes
- Apps with code generators
- Hardware device
- Secret Keys
Each second factor has some distinct advantages and disadvantages
Text messages with verification codes have proven to be an easy way to add your extra level of security. However, with all things being connected, some hackers have successfully gotten access to a user’s smartphone and computer and were able to read the text messages as well. It is not foolproof, but it is much harder to hack both your phone and computer, which makes this method a lot safer than single factor authentication.
The same goes for verification codes to your email inbox. Once the hacker get access to your inbox: game over.
A better way to add your second factor is a physical device. Usually a small usb key is used, which makes it impossible for hackers to steal your data without also breaking into your home or office. That locks out most of all hackers because they usually don’t reside anywhere near your location. And you don’t have to worry if you lose the key or in case of theft: without your password it is useless. That makes it currently (2019) a very safe way to protect your access. The downside is that currently not all platforms support this second level authentication.
But wait. Isn’t there an app for that? The answer is: YES! It’s called an “authenticator” app and there are various out there. Google has one, so does microsoft and most password vault providers. The authenticator app works even if you are not currently on a network (no cellphone reception = text messages). It issues time-bases one time passwords.
In order for the app to work you first have to sync the app with the login you are trying to protect. It’s very easy and usually done by scanning a code with your mobile device. After you have scanned the code you can see a number and a countdown. The number is only valid for about 20-30 seconds and is automatically updated. That’s the temporary part of the password, which makes it very safe.
So how does the platform know which number is on your device, when they are not connected? When you scanned the code, the app and the platform you are adding the second factor to, have exchanged a secret key and synced their time. Now the app and the platform are independently able to generate the number. That’s also why it is called time-based one time password.
Lastly, the secret key offers a strong method of adding extra security to your password. It exponentially increases the strength of your password which makes it a good way to add a second factor. However, it can also be pretty long and requiring you to type 128 characters off your secret key card.
How many email accounts should I have?
Ideally you will set up one account for your emails and another one for your accounts throughout the web. If you want to make it extra secure use a different email address for each service. If you can’t handle that consider at least a different email for your social media, for your bank account, credit card and other financial services.
The password vault
A password vault encrypts your passwords and leaves you with only one single password to remember. You will use one very strong password and additionally a second factor authentication. This makes your vault safe against most common attacks.
Vaults vary in their set-up and encryption methods. Some store your data locally and others in the cloud.
Currently the most secure method is local encryption.
While a vault is a safe place it can also become a target just by its nature.
A password vault is the way to go if you want to balance your convenience and workflow with a maximum level of security.
Quick reminder: Two factor authentication for your vault is a must.
The password card
The password card is an analog tool to help you create and remember long passwords. The card contains a table with random signs and characters. It “stores” your password by choosing your personal starting point on the card and a specific reading direction. Because of this process you can share the card with others and don’t have to worry about theft because it is useless without the starting point or the reading direction.
Try out this password card generator or make yourself a copy of our google sheets template to create your own password card.
How to use the password card
Each password card needs to contain at least 10 columns. Ideally 26 for the alphabet or whatever labeling might help you remember a starting point. Add lines and fill each cell with a letter, number or character
The general idea on how to easily memorize your starting point would be to look at the name of service or login you are trying to create. You choose a letter of the name and look for the corresponding column on your table. Now you have to modify your algorithm so you can also memorize the line. For a service with 7 letters you could choose the 7th line and the 1st letter of the name. But that starting point might be too obvious. So instead of using the first letter you could use the second, third or whichever you like. And the amount of letters can be modified by adding or subtracting. (G o o g l e = 6) + 3 = 9
With this simple pattern you will have an easy way to memorize your starting point.
By reading from right to left, upwards, diagonal or in a pattern shape you can now further modify your password.
The password card is an analog tool and doesn’t offer the convenience of “autofill” like a password vault does. It might seem annoying but let me refer back to the top: An easy password is bad password.
Personal password algorithm
Another way to create safe and memorable passwords is to create your own algorithm that you can execute in your head.
Instead of relying on a matrix of random characters printed on paper, you will have to “compute” the password yourself.
The personal algorithm password is assembled from a sequence that is easily memorable to you and added parts that are again calculated out of the name of the service.
Example: How to use the personal password algorithm to log in to Linkedin
3 first letters “Lin” + “HorsePizzaFirehose” + last 3 letters, read backwards “nid” = “LinHorsePizzaFirehosenid”
Now let’s spice it up with some numbers!
Linkedin = 8 letters
Add a “standard” multiplier to get more characters: x 100 = 800
Now put it all together: “800LiHorsePizzaFirehosenid”
This kind of password does look familiar to your eye and is as strong as any random password.
Here are some more sophisticated personal password algorithms:
Diversify your email accounts
The email address is currently the standard way to create a new account. If you use multiple different email addresses it will be more difficult to take over all of your associated accounts.
Question: Why should I use separate email accounts?
Answer: When you are only using your personal gmail account to register all your accounts, you are making it easy for hackers to take over all of your accounts.
Usually a hacker will find, buy or steal one of your email addresses, but not multiple addresses at the same time.
Using multiple email addresses can limit the theft of accounts through a websites “account recovery” tool to a smaller number.
Can we learn better password habits?
Just like the GDPR (Data privacy .. ) another legislative act out of Europe is going to bring some movement into the slow shift of better data security and access protection.
The Payment Service Directive 2 is going to force banks and other online merchants to use two factor authentication starting this fall 2019. This will raise awareness to the method and hopefully make its use the new standard for every user on any platform. I am pretty certain it will, because it already has been in the news, but mainly because hackers have already started to exploit the confusion during the mandatory change process.
Each provider had to inform their customers about the increased security for the login. Soon thereafter hackers started sending out spoofed (fake sender address) phishing (using a bait to collect data) emails.
That raises a good question: Why isn’t there a law that forces better data protection?
The “password123”-problem long exists and it feels like the government is rather relying on private businesses to solve the problem.
But digital marketing is rather about taking hurdles out of a customer’s way to an action or purchase. It’s not about adding a second level of security by entering 128 characters.
Look, after the introduction of the seat belt law in 1968, studies in 1974 found that a driver had a 73% lower fatality rate and 53% lower serious injury rate when wearing a seat belt. (Source)
It is restraining to wear a seat belt, but you and I would probably agree that it is a good feature.
I think it’s time for a law that favors the user. Not a burdensome piece of regulation. We need a straightforward directive that levels the playing field.
Imagine if every user invested about an hour of their precious time to change their passwords to a strong password with two-factor authentication, we would immediately render all those password lists useless!
Entire cyber crime business branches would become obsolete overnight.
Everyone would benefit but the hackers.
It’s going to be winter soon. Perfect time to set your digital life straight.
We need a “strong password day”!
Talk Show hosts wearing random password sweaters and making awkward jokes about how to come up with the best memorable random password on every channel.
Interviewing people that haven’t been compromised, celebrating all the break-ins that never happened.
And you should demand a mandatory drill in your office to change to a strong password!
Summary
- You are a target of cyber crime, every day & night.
- Hackers will break in; it’s just a matter of time.
- You have to use strong passwords and use different passwords for each account.
- Using strong passwords is the single most effective thing you can do to protect your business and your personal life from hackers.
- Strong passwords are hard to remember and impractical for everyday use.
- Make it convenient by using a password vault or password card.
- Use 2-factor authentication for your email inbox and all other accounts that offer it.
Check out our password workshop
We found there is a real need for more people to get started with secure passwords. So we put together a couple workshops that we are currently piloting in Cleveland, OH.