Let's face it – we all have multiple online accounts across numerous services – Instagram, Facebook, PayPal, our banks, Amazon, eBay, Twitter, etc. The list just goes on and on. However, given the number of large data breaches that are being announced on almost a daily basis, many users are confused and concerned about what this means for them and what they need to do. This blog provides the top 5 tips for keeping your online accounts safe as your digital footprint continues to grow.
Don't use the same passwords everywhere
One of the largest problems is that many people use the same password for multiple online services. The problem here is that if one of those companies get breached, then your username (which is probably your email address) and its password will be exposed to attackers. Having your email address and a commonly-used password opens up many opportunities to compromise your account that is configured with other online services.
For example, if Facebook gets breached and the email and password you use to authenticate to Facebook gets exposed, attackers now have enough information to try logging into your Instagram, Twitter, LinkedIn accounts as well, including well-known financial institutions.
Although it can get challenging, always use a different password for online services, especially critical ones that could expose confidential/sensitive data. The more unique passwords you use, the less exposed your other online accounts are in the event that a data breach occurs with a company you have credentials with.
Use two-factor authentication whenever possible
This is an extremely important one. Although there is research proving the possibility of bypassing two-factor authentication by leveraging some social engineering techniques, two-factor authentication (2FA) is extremely critical to protecting your online accounts.
Many people aren't even aware that 2FA is supported on some of the services that they use. For example, you can configure all of your social media accounts to use 2FA – just look in your account settings, typically in a "Security" area or where you'd usually configure your password.
By implementing 2FA, you reduce the possibility of an attacker using your username/password to gain access to your account. In fact, since most 2FA services support using SMS to send temporary passcodes, receiving an unexpected SMS code to verify your account could set off many red flags, indicating that your account was compromised.
Use complex passwords combining multiple factors
Don't use simple passwords. We conduct password attacks (and password analyses) as part of our assessments and there are always user accounts configured with simple passwords such as <Season><Year> (e.g. Winter2019, Summer2019). These user accounts almost always allow us to compromise data and/or gain privileged access to critical systems.
Use some of the following best practices to help create a strong password:
- Combine multiple words (e.g. HereIsAStrongerPassword!9102!!)
- Substitution of characters and numbers (e.g. H3r3IsAStrong3rP@ssword!9102!!)
- Use passwords that are longer than 8 characters (preferably 12+)
- Avoid using words that can be found in the dictionary
- Test your password strength using an online password strength checker
Once you get into a habit of using some of the practices mentioned above, you'll actually start to create stronger passwords without even noticing. For example, I've been substituting characters in passwords for many years and now it's "normal."
Don't save your passwords in cleartext
Don't save your passwords in cleartext in any electronic documents (e.g. spreadsheets, word docs, text files, etc.). The reason is because if the device you save this information on gets compromised, then attacker now has access to all of your credentials in clear text. We've discovered cleartext password files on a good amount of assessments and this has always led to pretty significant access.
Instead, consider using a password manager if you can't remember your passwords - most of us can't – especially given the amount of online services we have user accounts with.
Check your accounts against known databases
If you're ever curious to know where your accounts have been breached, you can use several online services that offer breach lookup services. One of the most popular sites for this is haveibeenpwned.com. You can simply provide your email address and get a list of services that have been compromised that have your credentials.
If you realize that your accounts appear on breached services that you were unaware of, you should go to the affected service(s) and change your password, along with any other services that you use that share the same password (even though this is not advised).
About Vonahi Security
Vonahi Security is a cybersecurity consulting firm that offers modern consulting services to help organizations achieve both compliance and security best practices. With over 30 years of combined industry experience in both offensive and defensive security operations, our team of certified consultants have experience working with a significant number of organizations, industries, networks, and technologies. Our service expertise includes Managed Security, Adversary Simulations, Strategy & Review, and User Education & Awareness. Vonahi Security is headquartered in Atlanta, GA. To learn more, visit www.vonahi.io