Password stolen: an ounce of prevention

My response to a HARO question: Recent hacks potentially compromised the passwords of hundreds of thousands of users on popular websites, a real problem since people seldom maintain unique passwords. This story looks at what you should do when your password is potentially compromised, outlining good password hygiene.

This got me thinking of a situation where someone has used the same password across almost every site and service on the Internet and they find it out it is compromised. I could brainstorm lots of ideas on how to prevent this from happening by very few once it had actually happened.

Response - the pound of cure

If the password is for a single site then you can follow a process like this:








The problem really arises if that same password works for tens if not hundreds of sites. If you are not even aware of what sites you have used that password on! Or the password is to your email accounts which allows someone to reset passwords to other sites or get enough personal information to have a good guess at other passwords or secret questions. If this is the case, then I think you need a multi pronged approach:
  • Discovery: you can use sources such as your browser history or the sites where your browser has saved passwords for to identify where you need to change your password
  • Prioritize: target the critical sites that can really hurt you. Anything banking or payments related, this includes anywhere you have linked your credit card or bank account e.g. Paypal, iTunes, a betting or online stock broking account. Email accounts that you could be used to reset passwords, social networking and other sites which hold a lot of identity information.

Other measures you can take are to contact the organizations such as your bank which can then monitor your Internet banking, credit cards etc more closely and raise the risk score for these in their systems. Getting some identity theft protection and monitoring over use of credit record checks are also a good move, especially if you believe some of those critical sites have been compromised.

That was really it for response, not a great deal I could come up with, prevention really does seem a lot better way to go even if it just minimizes the number of sites impacted

The ounce of prevention

There are a number of steps to prevent this from occurring:

Eliminating passwords - you could get a simple hardware token such as a Yubikey and there are a number of sites that will let you use that instead of a password. Registering for OpenID is also a good idea, this lets you have one account for many different sites which based on the OpenID provider can be strongly authenticated with something like a Yubikey or if you choose Google, their new two step verification process. Having a second authentication factor means that even if you lose your password an attacker cannot get access to your accounts without also having the hardware token or your phone.

Password manager -  there are a number of popular ones such as Lastpass, 1Password and Keypass. An Ironkey is also a good option as it provides a hardware encrypted USB key with a built in Firefox browser and password manager. These allow you to generate a strong password that is different for each site but still get the benefits of convenient login and can be accessed on your mobile so they are available everywhere. I wrote in more detail about password managers here.

Choose a strong password - good practice these days is at least 8 characters, alpha and numerics, upper and lower case and symbols or special characters. This would make unlikely that someone could guess or bruteforce your password. Using a passphrase, which would be a longer phrase that is memorable is another good alternative. 

Password reset - often a weak point. Make sure you choose strong security question answers, follow the practice for choosing strong passwords because there is no point having a strong password that can be reset with "apple" and "england". Having an alternate email account registered to receive password resets in-case your primary is compromised is also a good idea.

Internet hygiene - there are simple measures you can take to avoid disclosing your password online. Not clicking on any links from senders you do not recognize, not opening email from senders you do not recognize, running up-to-date antivirus, personal firewall and patching your operating system, browser, common programs like Acrobat reader, office and Java. Running a few useful addon's like No Script (allows you to enable javascript only where you want) and HTTPS everywhere (which attempts to connect to the secure versions of all your favourite sites). Only entering your password after verifying in the address bar that it is actually the site you are supposed to be at and there is a padlock indicating you are browsing over HTTPS. You will never win a free iPad so avoid those free surveys!

Photo credit: Ngọc Hà (Flikr)

No comments:

Post a Comment

Author

Written by