“Passwords are like underwear: don’t let people see it, change it very often, and you shouldn’t share it with strangers.” – Chris Pirillo
In this post, I want to stress what I believe are some of the tenets of basic cyber security. While many of these points may seem ridiculous to cyber security professionals, we all know that there are many people, common Internet users, who are unaware of the consequences of a lack of cyber security concern. This post is not aimed at cyber security professionals. I intend to inform the general public about actions, or a lack of actions, that can lead to disastrous consequences if basic cyber security principles are not followed.
To begin, let me state that I have never been a tin-foil hat wearing conspiracy theorist. I mean no disrespect to my technical brethren who tend to be a little over-cautious. It is important to remember that any precaution can seem overzealous until it proves to be necessary. Take for instance insurance. You may balk when you see your statement or invoice from your insurance provider, but you know it is a necessary evil because you have seen the effects of a disastrous encounter with calamity, whether it was your personal experience or that of a friend or loved one.
Below, I will detail what I think many of us “average Joes” should consider legitimate causes for concern and how we should go about securing our digital assets. If you are wondering how this applies to you, let me help by reminding you of all the spam you get in your social network because you accepted that friend request from a person you had previously added because someone created a fake account with their personal information. Let me also remind you of the fraud that occurs every day against bank accounts. You have no doubt seen the regular occurrence of reports of hacks against services you subscribe to. So, lets look at some things that you should be aware of.
I know most people are frustrated with this conversation. You are no doubt encouraged by most online services to constantly update your passwords. You might often find yourself staring into an empty password box trying to come up with some new complex password and wondering, “What cryptic algorithm should I use this time?” Know that you are not alone. I, too, am consistently perplexed as I try to drum up some new password that I hope to remember for the next 90 days or so.
The major problem here is that most websites and applications have been updated to meet new cyber security practices enabling more constraints on the passwords used. Basic cyber security principles require that users create more complex passwords, longer passwords, and not reuse past passwords. How is the average citizen of the Internet supposed to create, maintain, and use passwords that meet all of these requirements?
My first tip is to use a password manager. Password managers, among other things, allow for the storing of passwords, so that users do not have to remember them. Most password managers also provide browser extensions to fill in forms for you. Ultimately, your passwords are encrypted and stored for later use. One of the many benefits of not having to remember you passwords is the freedom to use randomly generated passwords. These passwords, with no seemingly coherent pattern or logic, are are harder to crack or guess.
I currently use BitWarden as my password manager. I can access it from anywhere on the Internet, my phone, and from the browser extension I installed on Google Chrome. It will prefill the username and password fields for sites I have configured it to manage. Just be sure you do not share your master password which allows access to the utility. Also, consider adding two-factor authentication on BitWarden which will make it even more difficult for someone to gain access to your valuable passwords.
As I mentioned above, two-factor authentication (2FA) is useful for further protecting your digital assets. Two-factor authentication requires more than a password for authenticating to applications, sites, and services. You might be using 2FA without knowing it today. Have you ever entered your password and then sent an SMS text with a code that must be entered before gaining access to a site? That is 2FA with SMS used as a secondary mechanism. To understand why this is important, you must consider the factors of authentication. When we talk factors of authentication, we focus on phrases such as “something you know”, “something you have”, and “something you are”.
An example of something you know is the common password or passphrase. Something you have is a key, token, phone (for SMS text), etc. The something you are refers to bio-metrics. Over the years, cyber security professionals have proposed other factors that can be used to secure systems, but the three most common are what I have laid out above. While a hacker may be able to steal your password (and trust me this is not difficult), it would be more difficult for them to have something of yours and know your password. Layering these factors on top of one another just multiplies the effect by ensuring that the attacker have all of the above to gain access.
One 2FA mechanism on the market today is the Yubikey. This hardware device allows anyone with a PC, phone, or NFC device to enable 2FA on supported applications and services. Even BitWarden mentioned above can utilize Yubikey for 2FA along with your master password. I would suggest that if you decide to use a password manager after reading this post, that you find one that supports a hardware token or key. Check out the site to see some of the services that support Yubikey. Chances are, you are using a service today that can be enabled for use.
Think Before You Click
I can not emphasize this next topic enough. Literally, I cannot overemphasize this next topic. Every computer system user must understand the ramifications of haphazardly clicking on links, pictures, files, etc. Before you click on a link in an email, you should mouse over (hover the pointer over it) the link and look at the bottom of your screen of the overlay that pops up and see where the link is actually located. See the example below.
In the image above, I have opened an email from Marriott.com and I have held my pointer over one of the links. The box at the bottom left shows the destination of the link. You might be asking, “Doesn’t the text of the link show me the destination”? Well, the short answer is no. That is one common trick attackers will use to draw you to a site that they control in order to steal your info or load malware onto your computer. When you are looking at an email, there are a couple of things you should be keenly aware of. Check the header of the email to see if the email is legitimately from the suspected sender. Also, check the links to ensure they really go to locations you suspect.
It is not only emails we have to be wary of. As you browse the Internet, you will come across links on pages that could lead you to suspect locations. You may download a seemingly harmless file and quickly learn the lesson of how executable files can damage a healthy computer. If you are not sure, then don’t click it. It seems like such simple advice, but this type of activity occurs all the time and so many users are fooled by simple means. Getting info from users is not nearly as difficult as you think. Visit the following link for information on social engineering.
I’ll conclude by reiterating the importance of following basic cyber security. Keep passwords a secret. Do not share your passwords with anyone. Never reuse the same username and password combination on another site or service. Choose random passwords and use a password manager to make it easier to be secure. Consider using multiple layers of authentication to make life more difficult for hackers. Lastly, always think twice before clicking. Following these basic steps will help to ensure your safety and protect your personal information.