Today, I am going to ask you to do the impossible. Then, I will equip you to do the impossible.
How many online accounts do you have, total? That you have ever set up at any point now or in the past? Now, how many separate passwords do you have stored in your brain right now that you know? If there is any discrepancy between those two numbers it represents a risk. Why is this?
Every day countless cybercriminals are trying to break into password databases of any website imaginable: email, social media, shopping, banking, news, gaming — the list goes on. Now, we expect the highest level of encryption and security from our online banking service providers, but do we have that same level of trust for our local newspaper’s website? It is almost certain that at least a few of your various online accounts store your passwords using weak security, or worse, just plain text.
Once hackers compromise a password database, they will take those credentials and try them in other places, just trying to get a match. Therein lies the danger of password reuse. If even one of your passwords is shared across more than one web service, it is like having the same key that opens your home, business, car and safety deposit box. If even one of those keys falls into the wrong hands, it’s game over for your personal safety and security.
So, you must do the impossible: as many online accounts as you have, whether it is a dozen or several hundred, you must use a different password for each. Simply appending the letters “FB” for Facebook and “WF” for Wells Fargo is not sufficient to confuse a motivated attacker. They must be completely unique, which becomes more difficult as the number of online accounts climbs.
You need a big key ring for all those unique keys and fortunately, a password manager can do that for you, without the jingling. Services like LastPass, Keeper and Bitwarden exist to create, remember and auto-fill complex, unique passwords for every web service you use. A password manager will take the stress and frustration out of regular password changes while giving you extra brain space and eventually hours of your life back.
A common objection to using a password manager is the risk of that company getting breached; then, the crooks have the “keys to the kingdom” for all their users. But it’s much less likely for a company whose sole purpose is security to be breached since their business model depends on them having the proper controls and protections in place. As long as you secure your account with a good passphrase, such as “Warpfactor7,engage,” this reduces the chances of your password being cracked. Also, make sure to turn on multifactor authentication for the password manager (and any other service you have that supports it). If the database is breached, the bad guys still can’t get into your account without your one-time code. Taking that step alone will help you sleep better at night.
The front-end work to transition yourself into a password manager is the biggest expense, but the ROI for your security posture is tremendous. Secure yourself or your whole company with strong passwords and multifactor authentication wherever possible, and attackers will be moving on to easier targets.
Chris Tuzeneu, C|EH CISA, serves as systems administrator for Bankers’ Bank of the West and as an IT auditor and ethical hacker for CivITas Bank Solutions, a Bankers’ Bank of the West Bancorp, Inc. company, which exists to help community banks with IT and information security needs. You can reach him at firstname.lastname@example.org