Often times I am asked by friends and family: what’s the most important thing I can do to protect myself online? The answer I always give to them is to never use the same password on multiple sites. Ever.
The reason this is my number one answer is simple: every day there is another breach announced. Some of these breaches are major events that you hear about on the nightly news, but most are from websites or services of which the majority of the public has never heard. According to PrivacyRights.org, there have been nearly 500 breaches in 2016 alone that have compromised a total of nearly 5 million accounts. Chances are at least one of your accounts was one of the millions compromised this year.
Passwords should never be reused across multiple sites because cyber criminals are commonly doing a password stuffing attack. This attack entails taking credentials stolen from one or more breaches in the past and re-using the valid credentials from the breached site against another non-breached site. It’s a very effective tactic since the majority of internet users re-use the same username and password combinations across multiple sites.
Reusing passwords is very risky in today’s internet landscape. Let’s say you reuse the same password across multiple sites. When a web forum for your personal hobby neglects to patch their website and gets hacked, cyber criminals now have the password not only to your forum but also potentially have access to your social network sites, email, and bank accounts.
Using a password manager greatly reduces the overhead required for having unique passwords across multiple sites. Even better, it’s incredibly easy to use random passwords against which it’s very difficult for an attacker to brute force, as opposed to using a variation of your pet fish’s name.
For non-technical folks, implementing and continually using a password manager solution can be too much of a hurdle to overcome. Even for highly technical folks, the risk of storing every password in a single location is too much to overcome.
Should a website be breached, or your password manager become compromised, you still are at risk of having your account hijacked. For every major website breach that we read about on the news, there are probably 100 more occurring which haven’t been detected or reported to the general public yet. We already know that the average time to detect a breach is well over 200 days, according to the yearly Verizon Data Breach Reports. In order to prevent having an account compromised by an unknown breach, users should implement two-factor or multi-factor authentication.
Traditional authentication factors are one of three components; something you know, something you are, and something you have. Something you know would be a password, something you are would be a fingerprint, while something you have would be a badge. Implementing two-factor authentication requires two of these three components to authenticate to a given system. Using a public system such as the internet makes it difficult to implement two-factor authentication due to the additional hardware components required, which is why many websites opt for multi-factor authentication instead. For those interested, David Bisson wrote a great article outlining the differences between two-factor and multi-factor authentication mechanisms.
Many popular websites provide an option for enabling multi-factor authentication. Once you supply your password, you will be prompted for an additional code to be granted access to the website. This can range from being sent a text message to having a third-party application provide a unique code. Most enterprises are familiar with the RSA SecurID key fob that uses a rolling code for authentication. For consumers who want a more affordable option, they could look to YubiKey. Even cheaper still could be a free option such as Google Authenticator, which is a mobile app that presents a unique code every thirty seconds.
For consumers, the decision of which technologies to use may depend on which multi-factor authentication solution their preferred websites have implemented. The website operator has to build in support for each multi-factor solution in order for it to work properly.
I urge each any every digital citizen to research each website they use to see if they support multi-factor authentication and adopt their usage wherever possible.