In the world of security consulting, I constantly pontificate the virtues of protecting your password and proper password management. That said, there are times when nefarious beings are able to get their hands on your password, as evidenced by the recent rash of password compromises at LinkedIn and Billabong. I recently even had the unfortunate experience of having my personal email account briefly compromised. What have I learned from these current events and from my recent experience? Here are 5 take-aways on protecting your password, yourself, and your business:
1) Use proper password management. This should go without saying – your critical passwords should ALWAYS be different than your common ones. My banking/financial passwords are not even remotely similar to other passwords I use. For your uber-sensitive passwords, you may even ask your financial institution for a single-use password solution for performing remote banking/financial transactions. You may end up with some “quasi-public passwords,” some private passwords, and some sensitive passwords. There are gobs of articles, blog posts, etc. about how to choose a good password, so I will spare you the detail.
2) If one of your passwords does get compromised, change ASAP. Keep in mind, sometimes you have no control over these situations. The compromises at companies like LinkedIn and Billabong occurred when the attackers got their hands on poorly-protected (i.e. weak hashed) passwords. Okay, changing your compromised password is a no-brainer. But you should consider also changing the passwords on any other accounts that use the same password. That’s because the attacker could possibly attempt to use your credentials (user name/hacked password) on other accounts.
3) DON’T store your passwords ANYWHERE. Not in a file on your computer, not in some secure cloud, not in your email files. Do you leave your key under the doormat? No. Then don’t leave your passwords in publicly-accessible areas either. How then can you remember these multiple passwords? What I do is write down a reminder of the password. This way, even if someone finds the reminder, they would have a difficult time guessing the password. Something like “bike” to remind you of a password of “83NightHawk,” or “June gig” (Ph1shAlpineValley). These reminders can be sanity savers and can be used in a way that doesn’t really tip off anyone who may get their hands on that file.
4) Remove potential scary stuff from your email NOW: If someone or something gets the password to one of your email accounts, do you know if you have any messages within your email folders that may contain sensitive business and personal information, such as a passwords, banking or tax information, details about your clients or business? Yahoo and Gmail for example, are just clouds for storing your email messages. You should do everything you can NOT to put any sensitive information where an attacker could get his or her hands on it.
5) Be Vigilant. It can happen to anyone — even if you are paranoid and careful. So be aware and ready to respond.