Cybersecurity Hygiene: Why There’s No Excuse For Compromised Accounts In 2021

Written By Bobby Arvanitakis

There is a common concern my friends and colleagues have been talking about recently, and it’s the increasing number of data breaches and account credential leaks in the last year. Since April 2021, Have I Been Pwned has reported over 761 million unique account leaks, and it doesn’t look like hackers are slowing down their efforts to obtain your unique usernames and passwords. If you aren’t using the following two account security measures to protect your data and identity online, you better start!

IBM has estimated that the average data breach costs a company $3.86 million USD, and that figure includes lost business of a security breach from a tarnished reputation. It’s interesting to read up on how breaches affect businesses, but it also highlights what malicious actors intend to do with your information; sell it to other criminals, use your personal information for identity theft, takeover high profile accounts to send unsolicited messages to followers or friends, and extort people of their money through phishing scams.

So, if 20% of companies that experienced a security incident were due to a stolen or compromised credential, then your details may already be floating out there. Though, with our increasing collection of accounts for each food delivery, social network, dating profile, bank and credit card organisation, changing leaked passwords alone becomes a laborious task.

The mentality you should have here is to assume your login credentials will eventually be compromised. Reusing the same password on different services and websites needs to stop, and using a second factor of authentication needs to start.

Passwords (and Password Managers)

gettyimages-964579430-612x612.jpeg

I just checked the number of accounts I have registered and saved in my password manager: 657. If you’ve lived on the internet for as long as I have (about 15ish years) you’ve probably accumulated just as many, if not more; I tend to request to delete accounts of apps and websites I no longer use, as a way to maintain online security hygiene. When Drizly was hacked last year, I knew I didn’t have to do much to re-secure myself. I changed one password and moved on with my life (and possibly claimed the $14 award from the class-action settlement, while I ordered a pack of espresso martinis).

You’ve heard about password managers before (LastPass, 1Password, Google Password Manager, iCloud Keychain) but you’ve now accumulated 15 years of account login information and even thinking about moving all your credentials into an app overwhelms you. That makes total sense, and I’d never have you change all your account passwords in one sitting. Think of this task as an evolution of your online safely - it’ll happen over time, as you use each service. You pay your rent once a month, change your property management portal password and your bank account’s password to something random the next time you login, and add it to your password manager. You login to Twitter, but before you start infinitely scrolling through today’s memes, you change your password and add it to your password manager. You just increased your online security hygiene!

The type of password manager you use doesn’t matter, just use one, the most convenient one for you. If you have an iPhone, you can set up your phone to generate and save random passwords to your iCloud account. If you use Chrome on your Android or iPhone device, Google has you covered. My organisation gives me a free premium subscription to LastPass, so check if you have perks like that. 1Password gets a nice write up too. Pick one, stick to one, and guard your main password with your life.

Your main password should be the only password you remember. There are so many articles on how to pick a good password. I like this one because it contains the XKCD comic that got me thinking about password complexity when it was first published 10 years ago, with a little modern day context. The key takeaways; it should be longer than 12 characters, includes numbers, symbols, and capital letters, isn’t a dictionary word, or contains any part of your name, your email, or anything personally identifiable. Think about obscure business names, weird objects you’ve come across, or even randomly generated galaxy names, and combine a couple of them - correct-horse-battery-staple style.

Second Factor Authentication

Okay, you’ve set up a secure main password that’s protecting all your randomly generated passwords in your password manager. You’re slowly, but methodically, resetting each password for each account you’re logging into, and saving it into your password manager. There’s one more layer of security that will help mitigate the level of damage a compromised password can do to your account data. Remember, we’re assuming all passwords will be compromised, so how can we prevent access to our online accounts if that inevitably happens? Second factor authentication, multi factor authentication, or 2FA for short, is that extra layer we need.

Many of the services we use have probably implemented a form of second factor authentication. You can check what services do have 2FA implemented in their account security, as well as details on how to enable this feature for each service at 2fa.directory. There are many different types of 2FA, but the idea is your password is something you know (and easily stolen), and something you have (not as easily stolen). That something you have is typically an SMS code sent to your phone or your email, a hardware token, or an authenticator app. Authenticator apps and hardware tokens are the safest forms of 2FA; someone has to steal something physically in your possession like your mobile phone or a security key. SMS is unencrypted, and the least secure of the methods, and if your email password is compromised (and you haven’t enabled 2FA on your email account), then the generated code in your inbox is accessible by attackers.

Don’t let me stop you from using SMS codes however. Use the more secure options (if any) instead, first. If the only option presented to you is codes sent to your phone, great! Set it up! You’ll need to make sure you’ve secured your phone with a 6 digit pin or some form of biometrics, but do not skip a form of second factor authentication because it isn’t the most secure. Any layer of security beyond your randomly generated password is better than none.

Just be mindful of the methods used by attackers to gain access to your phone. Did you know if you don’t set a SIM pin, anyone can pop your SIM card out of your phone while you’re not looking, insert it into their phone, then request an SMS code to gain access to an account they have your password for.

When people come to me for account support, it’s typically because their password was in a recent data breach of a different website (using the same password), and they hadn’t set up second factor authentication. In every instance, 2FA would have prevented an unauthorised login from a hacker. Most large tech companies have made it straightforward to gain access to compromised accounts using a number of data points, but it isn’t always successful, and there’s only so much I can do on your behalf to regain access. Proactive prevention of unauthorised account access is the best form of online defence. It may be too late by the time you notice a breach and seek assistance.

icons8-business-report-96.png

If you’d like to increase your digital security, reach out to our consultants at contact@hba.consulting.

Technology analysis reports like this is part of what we love to do! If you need concise research reports on tech topics like these, start a conversation with us.

References & Further Reading

Bobby Arvanitakis https://hba.consulting
Previous

Password Resets are a Bullshit Job
Next

Learning From Failed IT Projects: 2016 Australian Census