The following is adapted from Fire Doesn’t Innovate.
We all know people whose definition of password security is writing their password on a Post-It Note and slapping it on the side of their computer monitor.
Some of us might even be guilty of committing this sin against password security.
Even if you don’t display your password for all the world to see, you might be making the common mistake of using the same password for multiple accounts. If you reuse the same password everywhere, it’s easier for a cyberattacker to compromise your accounts.
If this doesn’t seem like a big deal to you, consider this example. The genealogy website MyHeritage was compromised in 2018, meaning the user IDs and passwords of all its users were exposed. If any of the website’s users reused that same ID and password for their online banking account, their money would be at risk.
Online bank security is very good, so rather than attack the bank, a cybercriminal would get user ID and password data from MyHeritage and feed those combinations into software designed to automatically attack the bank’s website. They’re looking for a weak link to exploit, and if you reuse passwords, you are that weak link.
How can you prevent your password from being exploited? Here are some tips.
Step #1: Enable Two-Step Authentication
By enabling two-step authentication with your bank, you can discourage criminals from accessing your bank account online, even if they have your login and password.
If you’ve ever received a text message with a series of numbers that you have to type into the bank’s website, then you’ve already done this. If not, then look into it.
Turning on two-factor authentication on every website where it’s available will go a long way to preventing someone from stealing your data.
Every time you make it even more difficult for a cybercriminal to steal from you, they’ll be more likely to stop their attack entirely and move on to an easier target.
Step #2: Use a Password Manager
Another step you can take to increase your online security is using a password manager. By doing so, you no longer have to remember all of your passwords and PINs, which is one of the main reasons why people reuse them.
If you don’t have to remember them each time you log in to an account, not only can you choose a unique password for every site, but you can also choose long, complicated passwords, things you could never remember on your own.
Even better, your password manager will enter your credentials into the webpage for you. You get better security and it’s easier to use. What a great combination!
Use a high-quality password manager to store your passwords as well as your non-obvious answers to security questions. LastPass and 1Password are both high quality and they both have a secure note feature built in, meaning you can include security question answers.
One valid criticism of password managers is that if someone hacks into that account, they will have access to everything. My response is simple: if you’re going to put all of your eggs into one basket, make sure it’s a strong basket.
Step #3: Take Security Questions Seriously
In addition to using easy-to-guess passwords, people often make their security questions easy to guess too. Part of the reason they’re easy to guess is because the questions are poorly designed. The questions will include ones such as, “What high school did you go to?” and “What town were you born in?”
The problem is that all of that information is public record, not to mention that most people have shared that information on Facebook at one time or another.
One strategy to improve your password strength is to set non-obvious answers to your security questions, then store the answers in your password manager.
If the security question is, “What was your first car?” instead of saying it was a Chevy Nova, choose a response that doesn’t fit the prompt, such as Applechicken22.
No one is ever going to guess that, and the person to whom you are trying to prove your identity doesn’t care what the answer is as long as it matches what they have on file.
Security questions are generally focused on things you can easily remember because you never want to forget those answers; otherwise, you can’t prove who you are.
Unfortunately, the easier they are to remember, the easier an attacker can guess them.
For more advice on improving your password security, you can find Fire Doesn’t Innovate on Amazon.
Kip Boyle is founder and CEO of Cyber Risk Opportunities, whose mission is to enable executives to become more proficient cyber risk managers. His customers have included the U.S. Federal Reserve Bank, Boeing, Visa, Intuit, Mitsubishi, DuPont, and many others. A cybersecurity expert since 1992, he was previously the director of wide area network security for the Air Force’s F-22 Raptor program and a senior consultant for Stanford Research Institute (SRI).