When was the last time you used a password?
Four or five minutes ago? That sounds about right. In this digital world, consumers are bombarded by demands for our passcodes hourly. These combinations are essential for everything from Pinterest to Instagram to the dog’s vet account, so it’s tempting to use the same keyword over and over. Don’t! Reuse and other password goofs often backfire. It’s vital to do all you can to boost privacy for these basic security tools.
The average person has several dozen accounts requiring credential log-ins. Some have over 50 or 100. Sheer volume is at the root of the reuse problem on multiple sites. A 2018 research study at Virginia Tech documented that 52% of all account holders reuse their passwords. Even worse news: a considerable percentage of users—when alerted that their credentials had been compromised—continued to use them!
Don’t get stuffed!
The damage is often tangible. You could receive a letter that goes something like this: “It appears that an unauthorized party may have accessed your account by using your username and password combination that was obtained from (another) source.” That’s the warning notice that numerous online tax filers received in April 2019; duplicate passwords were the likely cause of these individual hacks.
When thieves grab login credentials in one data breach, that info is tested against other websites to catch users who recycle. Credential stuffing is the term for this automated, trial and error approach. It’s rapid and highly successful; the forecast is that over 50 million attempts will be made in 2020. If successful, the intruder’s next step is to change the password to commandeer the account and lock the genuine owner out. Account takeover (ATO) is a crippling event you don’t want to endure.
Financial accounts can be emptied, and even loyalty points can be stolen.
The surge in stuffing worries business owners immensely; workers prone to password reuse could use the same codes for work accounts, giving hackers easy access to employer files like payroll data or tax forms which can be quickly monetized.
The National Institute of Standards and Technology (NIST) in 2019 issued an advisory directing business owners to minimize the risks of credentials stuffing by comparing new passwords against lists of compromised ones.
You’re overdue for 2FA
Activate two-factor authorization (2FA) on your key accounts. If you own a debit card, you already use 2FA. It’s a combination of something you have (the card) and something you know (the PIN). However, acceptance of this added security layer, also called Multi-Factor or MFA, has been slow with under 50% of users selecting it when 2FA is an option.
Microsoft’s security division in 2019 compared millions of user credentials against a list of 3 billion compromised ones; the tech giant found vulnerabilities in 44 million accounts. Microsoft also found that MFA could reduce 99% of credential stuffing. While consumers usually have a choice to opt in, changes may be lurking around the corner. Google will require its Nest home security users to adopt 2FA in Spring 2020, and some banks have already made 2FA mandatory for account access.
Check for compromises
Want to check your own password vulnerabilities? Email addresses—which are common user names—can be evaluated for exposure at the non-profit site, haveibeenpwned.com (HIBP). Since 2013, Australian data security guru Troy Hunt has run this site to help the curious search compromised email addresses and passwords. His repository holds eight billion data points, and it’s simple to use. This free service sometimes even pinpoints the data breach that exposed your details. If your cherished email address or password pops up on Hunt’s website, it will rattle you, but there’s no better way to grasp the risks. HIBP also offers an optional email compromise alert if your data is exposed in the future.
Make it tough
Bill Gates predicted the death of passwords over 15 years ago, but they’re still around, so choose yours wisely. A 12-year-old could guess many passwords in use today. Research firms consistently prepare lists of most used passwords, and “123456” always tops the list. “Password” usually occupies second place as a password! Automated cracking programs take nanoseconds to crack those flimsy passcodes. Just. Don’t. Do. It.
Additional risks and protections
Most human memories can’t recall all the passwords you use in today’s digital environment. Most important are the accounts that you cannot afford to lose. Your mental vault is ideal for banking or investment passcodes. Once you decide which codes are critical and store them in your head, follow these suggestions for less sensitive codes to boost security:
- Post-It notes have got to go! Even state emergency management officials in Hawaii have been caught using Post-It notes on computer monitors for password storage. This is a big mistake.
- Don’t use the cat’s name or your birthday as a code. Try a passphrase if that is easier to remember. Simply choose a letter to represent each word and add some numbers.
- Ditch the concept that longer passwords are superior. Go for unique instead. Even a 20-digit code is dangerous if it’s already been hacked.
- Decline website offers to store your passwords for faster checkout. If they’re hacked, you’re hacked. To see what the popular Chrome browser stores in terms of data, visit Google’s account answers page.
- It’s tempting to pay someone else to hold all your passwords and password managers have proliferated. They promise all you have to memorize is one master code. Before you leap, consider how codes stored. Are they encrypted? Evaluate how the provider handles hacks both past and future. Even firms that utilize a zero-knowledge basis need robust scrutiny. Zero-knowledge means the company won’t store users’ individual codes so a hacker can’t grab them from corporate files. Individual passwords are stored on your personal device and the manager only controls that vault’s front door. If you opt for a manager, definitely select a unique passcode.
- Install and use browser extensions that tap into to HIBP’s database to check for nicked credentials when you establish new online accounts and protect yourself.
IDShield is a product of Pre-Paid Legal Services, Inc. d/b/a LegalShield (“LegalShield”). LegalShield provides access to identity theft protection and restoration services. For complete terms, coverage and conditions, please see an identity theft plan. All Licensed Private Investigators are licensed in the state of Oklahoma. This is meant to provide general information and is not intended to provide legal advice, render an opinion, or provide any specific recommendations.