Data Breach
Facebook Profile photo by ambyrne
TechnologyPasswords are no longer enough to secure your stuff

Over the past few weeks we’ve seen news reports of high-profile hacks and data breaches from even the most seemingly security conscious companies such as Yahoo, Microsoft and more. We’ve even had a major US agency responsible for credit scores and financial rating admit to letting more than 143 million users details, not only of American citizens, but also those in other countries, out into the wild. And while we should be able to trust the businesses we give our personal details to, there is a lot to be said for how we protect our own data.

Not a day goes by when I don’t see something on my Facebook timeline from one of my friends advising that their e-mail address was hacked or someone had gained access to their profile and not to open any links I may get in strange messages. It seems that we are a little lax ourselves when it comes to ensuring that our accounts are not compromised. This can have serious repercussions which people seem to either ignore or simply choose not to think about.

If someone was to get into your e-mail account right now, chances are they could reset the passwords on most of the other accounts that you have simply by hitting the forgotten password link, and very soon they’d have total control of your online presence, and worse. As more and more companies and even government bodies move people to using self-service options online and web-based portals, it’s not a stretch to think someone could get access to your tax profile on the revenue website, change some details and get a nice refund put into their bank account.

Ah, but my password is really strong and no one knows it you say with pride, but here’s where the high-profile data breaches come into play. Chances are, like most people, you’ve used the same password for lots of different accounts, which means if some hacker finds your details, including your password for example from the big Yahoo data dump, they can just guess that you use that password for Facebook, online banking, Gmail and so on and so on. Effectively your password is useless now. A great site to check how likely this is to have happened to you check out Have I been pwned?. This handy little site checks to see if your e-mail address was leaked in any of the multiple high-profile breaches. If so I’d highly recommend changing your password on everything. And yes I mean everything.

Kinda scary when you start seeing your e-mail address show up on multiple lists on this site, and I’m afraid almost everyone is on there somewhere.

Passwords aren't enough anymore

Passwords aren’t enough anymore

So what’s the solution to this issue? Well there are some obvious ones that you’ve probably heard time and time again and for one reason or another just not got around to doing. For example, a lot of websites ask you to enter a pass phrase rather than a password. So what’s the difference? A password is that string of letters, numbers and special characters we’ve all learned to use for good strong passwords, but we tend to use the same thing over and over for simplicity and these are not as strong as you’d think as most people tend to hover around the 8 characters length. Pass phrases are as you might expect a string or a sentence that makes up a phrase. Suddenly a lot harder to crack or guess. For instance: “I like that Faceb00k uses that shad3 of blu3!” Seems a bit over the top, but if you make it something to remember and still add the special characters it’s fairly easy to remember, and the inconvenience of a few extra keys is worth while.

The good thing about pass phrases is that it encourages you to use different ones for different accounts, that way if one happens to be breached that password won’t work anywhere else. It’s a good habit to get into but only goes so far. The next really vital one which I recommend to everyone is turning on 2 factor authentication.

Again, like with pass phrases, most people are at least somewhat aware of 2 factor authentication, but I’m still amazed at how few people I know turn it on. In a nut shell, 2 factor means that after you enter your password you are either sent a message to your mobile via text, or you use an app on your phone to get a one time code for that login. Yes, it adds a few seconds to the logging in process, but what it means is that even if someone had your username and password, they’d also have to have your phone or they can’t login.

2 Factor Authentication Apps

2 Factor Authentication Apps

I’ve recently had the experience where someone repeatedly tried to access an account of mine from the other side of the world, and, although they got past the password step somehow, because I had 2 factor turned on, they couldn’t actually get into my account as they didn’t have the unique code that I got via the app on my phone. This code changes every 30 seconds and is unique to me, my phone and my account. Long story short, they couldn’t get it, and I got a notification that someone had tried and failed, so I changed the password on that account to something much more secure.

Virtually all the larger companies such as Microsoft, Facebook, Google etc all allow you to set up this additional layer of security and it almost makes the whole password thing redundant. Someone asked me ‘what if i lose my phone?’ Yeah, that’s a possibility, but as long as I can get my number back i can choose to get the text sent to the number again. The authentication apps are the most convenient as they can also be set up to prompt you. For example, when I login to Facebook from a machine I wouldn’t normally use, I get a prompt to check that it was actually me and the code to enter if it was.

The high-profile data breaches may have left us either feeling distrustful of some of these organisations, or worse we might think, ‘surely I’m not effected’, but the reality is that at some point the likelihood that your details have been compromised is huge, and the responsibility falls back on us to ensure that all our other accounts don’t fall victim as a result.

BTW, if you’re wondering what pwnd means from the above link here’s what Wikipedia has to say:

  1. (Internet slang, online gaming) To own, to defeat or dominate (someone or something, especially a game or someone playing a game).