A client of ours recently got an email from a security consulting firm that contained the username and password he uses for multiple websites. This email explained that they had found his credentials in an online dump of passwords from a compromised website, and they were offering their consulting services to help him tighten up his security. Now, I know that they might have meant well, but this is probably one of the creepiest sales pitches I have ever come across. And, unsurprisingly, our client was freaked out and wanted nothing to do with this company, which he suspected of hacking his account.
The real problem here is that a lot of people reuse variations of a few favorite passwords across many different websites. This is a bad idea, although we understand why they do it. It’s hard (impossible?) to remember a different password for each individual site you use online. Even experienced security professionals make the mistake of reusing passwords.
Here’s how the hack works. A hacker breaks into a site that isn’t well protected, like maybe an online pet care forum. Once they get the usernames and passwords to that system, they start trying these credentials on other websites like Gmail or Yahoo. God help you if you used the same password for your online banking account.
So what’s a civilized, 21st century person to do? Forgo doing business online and spend their days writing letters and standing in line at the bank? Well, take heart. We have a tool to solve this problem: the password manager. You just enter all of your passwords into this one application and encrypt the whole lot with one fairly complex, but easy to remember, password. Now, most people object that if a hacker can get access to this one master password, then they have ALL of your passwords at once. And this is true. But if a hacker has control of your system and is logging all of your keystrokes, then they have all of your passwords anyway. I know, that’s not much solace. So think of it this way. That online pet forum is actually a more prominent target than your personal computer. It’s out on the internet offering web pages to anyone in the world 24 hours a day. Those are the systems you need to worry about.
At Aviator, we recommend that all of our clients use a password manager to store their passwords. And don’t try to get away with a password protected Word document. Just google “Word document password recovery,” if you want to see how easy it is to crack open that sort of thing. I personally use 1Password, which has some nice features like auto filling web forms and syncing across multiple devices, but it’s a bit pricey. Noted security expert Bruce Schneier uses a free password manager called Password Safe, which I expect to be very tough to break into. We also like to use KeePass, which is another free tool with solid encryption. Check out this PC Magazine password manager review for some other reasonably priced solutions with good features.
Once you have a good password manager, you can create a unique and complex password for every website you visit. If one site gets hacked, those credentials can’t be used on any other. And you will be much safer online.
Contact Aviator today to talk about rolling out a password manager for your employees or other projects that we might be able to help with to protect your business online.