This article is part of a series that aims to shed light on critical privacy issues for our clients. Our goal is to offer straightforward guidance on how you can protect yourself and your family in this age of proliferating cybercrime. You can find our previous articles on protecting your physical assets, spam and phishing, and social media.
By David Koch
This article focuses on passwords, which are likely the most important cyber safeguards and the easiest to secure with the tactics I’ll describe below.
Three key metrics for passwords: Strength, Uniqueness—and 2-Factor Authentication
The average person has about 20 personal passwords. Add work passwords, and that number rises further. If you are active online, these numbers could reach into the hundreds. Unfortunately, most people have relatively weak passwords. What makes them even more vulnerable is using the same username and password to log into multiple online accounts.
The risk isn’t so much that your bank gets hacked: Banks typically have very secure databases. But what if your local library gets hacked—and you use the same username and password for both? Now they’ve got the keys to the castle.
I’ll outline three steps that we at HH strongly suggest you take to update your passwords and help keep your digital identity safe. The first step is to use strong passwords. The second step is to use a unique password for each online account. The third step is to use 2-factor authentication, where it is available. Two-factor authentication isn’t ubiquitous yet, but it is getting there quickly.
Step 1: Strong Passwords
A strong password should incorporate at least one uppercase letter, a number, and a special character. Passwords are also far more secure if they aren’t an English word. One simple trick is to replace letters with analog numbers and special characters: 3’s for E’s, 1’s for I’s, @’s for O’s, $’s for S’s, etc. This turns your cat “Benson” into “B3n$@n”.
Another strategy is to use a pattern on your keyboard. “1qa!QA” for example, looks complex, but takes less than two seconds to execute—and is quite secure. Look where the keys sit vertically on your keyboard on the far left. To achieve this password, you simply type “1qa”, then hold down the shift key to type “1qa” again, which produces “!QA”.
You can check how strong your password is here: http://comparitech.net/password-strength
Step 2: Unique Passwords
Creating (and remembering) unique passwords for each of your accounts sounds incredibly difficult. Many of you are likely imagining a monitor covered in Post-it notes right now. The fact is, these types of passwords can be created easily by adding the first few letters of the site you’re logging into.
For example, if your go-to password is “B3n$@n”, your Verizon password becomes “verB3n$@n”. For Chase Bank, it becomes “chaB3n$@n”. Geico becomes “geiB3n$@n”. And so on. Don’t worry about tackling them all at once. Try updating them each time you log into a new site until they’re all unique. It took me about a year.
Step 3: 2-Factor Authentication
This strategy uses a second form of verification, usually a text message or phone call, to verify that you are who you are. There are many ways to utilize this, and the site you’re accessing must make it available. I’ll use a text message here as an example. When you first set up 2-factor authentication, the site will ask you for your mobile phone number, and will then send a short code to your phone to verify. If you set this authentication up from your home computer, it will ask if that computer is considered a “safe” computer, or some other similar terminology.
Once that is done, you won’t need to verify the code from your home computer each time, because it is tagged as safe. If, however, you (or a hacker) tried to log into that account from a different computer (like one in Nigeria, for example), the site would send you a text message to re-verify access. Now, unless hackers had your username, your password, AND your mobile phone, they wouldn’t be able to get into your account.
Not all sites offer 2-factor authentication yet, but most large corporations do. The easiest way to find out is with a Google search, for example, “AOL 2 factor authentication,” or “Bank of America 2 factor authentication.” These search terms will often deliver you to the page that details how to set it up. Setting up two-factor authentication takes surprisingly little time; we believe it’s a vital security strategy. Think of your financial accounts like PayPal, and social media accounts like Facebook. Both your privacy and finances can be made appreciably more secure through this process.
If you maintain great security, hackers will turn to easier targets
Two people are walking through the woods when they see a bear. The first starts running. The second yells, “Why are you running? You can’t outrun a bear!” To which the first replies, “I don’t need to outrun the bear, I only need to outrun you!”
This adage mirrors online security. When a large entity like Target gets hacked, the thieves sell the usernames and passwords to other crooks. They’re not looking to break into your Target.com account—they’re looking for people who use the same username and password to log into their Wells Fargo account.
These villains may buy 1 million usernames and passwords. Then they run sophisticated software to see how many other bank, credit union, and online brokerage accounts they can open using these. They’ll get tens of thousands, or possibly hundreds of thousands of exact matches. Simply by changing one digit between your Target account password and your bank’s password prevents you from being their low-hanging fruit.
Sure, if they went through these passwords line by line, maybe they could figure out your specific method for making your passwords unique—but they won’t. Why would they? They’ve already got the keys to 100,000 other castles to rummage through.
RISKS AND DISCLOSURES
The views contained herein are not to be taken as an advice or recommendation to buy or sell any investment. Any forecasts, figures, opinions or investment techniques and strategies set out are for information purposes only, based on certain assumptions and current market conditions and are subject to change without previous notice.
All information presented herein is considered to be accurate at the time of writing, but no warranty of accuracy is given and no liability in respect of any error or omission is accepted.
This material should not be relied upon by you in evaluating the merits of investing in any securities or products mentioned herein. In addition, the Investor should make an independent assessment of the legal, regulatory, tax, credit, and accounting and determine, together with their own professional advisers if any of the investments mentioned herein are suitable to their personal goals. Investors should ensure that they obtain all available relevant information before making any investment.
It should be noted that the value of investments and the income from them may fluctuate in accordance with market conditions and taxation agreements and investors may not get back the full amount invested. Both past performance and yield may not be a reliable guide to future performance.
