We all know the importance of secure passwords and protecting your online identity, but many of us don’t fully understand the necessary precautions to take in order to prevent a hack.
As a seasoned engineer, I have a huge confession to make: I was lazy about my passwords. I reused the same passwords and usernames across dozens of sites. Every so often on a weekend, I would set aside a big chunk of time to change my passwords across the multitude of sites.
Last year, I had a rude awakening when I received an email from Grubhub notifying me that there had been “suspicious activity” on my account and as a precaution, my password had been reset. After investigating further, I was informed that my credentials had likely been a part of a big password dump.
No problem, right? I’m a veteran of the technology industry so surely all of my accounts were secure with no reused passwords.
Unfortunately, this was not the case. A few days later, a $2,000 order was placed on my bestbuy.com account, but thankfully there wasn’t enough remaining credit for the purchase to go through. Then, I received an email at 3am that someone had ordered $90 worth of pizza using my account on dominos.com. Just when I thought it couldn’t get any worse, my ubisoft account was compromised and someone began logging into previously deactivated dating website accounts.
I learned the hard way just how easy it was for my online identity to become compromised. Luckily, I didn’t suffer more severe losses and decided to take a much smarter to the security on the myriad. I’m sharing my experience and some tips in hopes that you can avoid suffering from a similar attack.
1. Use Long, Easy to Remember Passwords
I think from my tale above, it’s fairly obvious that you shouldn’t be reusing passwords. However, the NIST has updated their recommendations for secure passwords. Rather than the old method of a string with special characters, numbers and capital letters, the new guidelines suggest using a series of easy-to-remember words. The NIST has also removed the recommendation to reset passwords every 90 days as people were often just making minor variations to their passwords, something that wouldn’t deter hackers. Randall Munroe of the popular web comic xkcd demonstrated how a password consisting of 4 common words is significantly stronger than a common word with capital letter/number substitutions.
2. Use a Password Manager
I decided to take a different approach to managing my passwords. My brain is cluttered enough as is, so I knew that I would never be able to remember a whole collection of passwords, and eventually fall back into my lazy habit of reusing passwords. Instead, I opted to go with a password manager to generate and store random passwords. I use LastPass for my personal accounts, and at Chameleon, we use 1Password. With a browser extension and mobile app, I have easy access to to my passwords on all my devices. I don’t have to remember anything and I am most assuredly not reusing any passwords. If you would prefer a non-proprietary option to password management, you have plenty of options.
3. Use Multi-Factor Authentication (MFA)
I’ve had passwords compromised many times over the past several years. I had a debit card number stolen during the 2011 PlayStation Network hack and have likely lost passwords in countless other intrusions. Password theft is not going away anytime soon and hackers are only going to get more sophisticated. My foray into multi-factor authentication was when my battle.net account was compromised. In response, Blizzard sent me a free authenticator, which also unlocked an in-game pet for World of Warcraft. I’ve been nervous about enabling it for more important accounts, like my Gmail. However, after having devious web bandits order pizza and high-end gaming laptops in my name, I’ve become MUCH more welcoming to the idea. All of my accounts that support multi-factor authentication (MFA) have now been enabled.
MFA comes in different practical forms. Some services strictly send you a text, email or place an automated phone call with the verification number. Google Authenticator is a popular app that many services support. Google has their own mobile app that can be used to approve logins from your devices. MFA won’t absolutely prevent you from getting hacked, but it does add another layer of complexity to make you less susceptible. At Chameleon, we have MFA enabled on all company GSuite accounts.
My tips above just begin to scratch the surface on the topic of security, but making these simple changes will result in more secure online accounts, decreasing the likelihood you’ll have multiple accounts compromised.
If you’d like to share an experience of when your identity was compromised or want some additional advice, please email me at firstname.lastname@example.org