Another day, another security breach. Today Kickstarter announced that hackers obtained unauthorized access to customer data. No credit card information was taken apparently, but encrypted password were taken and sometimes that can be worse. I can probably speak for a segment of identity theft victims by saying I'm fairly sure they wish the damage inflicted was only a temporary trivial financial setback.
Here's What You're Probably Doing Wrong
Sharing Passwords
Remembering several different passwords is a hassle, so it's usually easiest to share the same password amongst several accounts. Even if you have different variations (MyP@ssword1, MyP@ssword2, MyP@ssword3, etc.) this is a horrible idea. If one online service is compromised then hackers might obtain access to several of your accounts. To make it worse, many login names now simply use the email address. Did you use the same password with your Kickstarter account that you use with your email account? Is your Kickstarter username whatever@gmail.com? See where I'm going?
It gets even worse when you share passwords between work and personal systems. Sign up for some podunky online service that used terrible security practices and get hacked? Now some shady people might possibly have your work webmail password, your CRM system password, your website administrator password, or even your VPN password. You can probably expect some classy porn pics smack dab on your company's website.
Simple Passwords
Today's computers are incredibly powerful so encryption today doesn't mean what it once did. Have a password with only one special character, one uppercase letter, and one number? Good luck with that.
Never Changing Passwords
When I first started following better security practices, I noticed that my Gmail password hadn't changed since I created it several years ago. That's ridiculous. It wasn't a complex password, either. I was really lucky that no harm came from that. There's an upcoming story of somebody that wasn't so lucky.
The Most Hated Man On The Internet - A Case Study On Reckless Web Usage
Several months ago I noticed a link on my Twitter feed with the title "Most Hated Man On The Internet." Thinking sombody was talking about me, I clicked the link and read a story that made me sick. Here's a link: Hunter Moore: The Most Hated Man on the Internet
tl;dr version: A young adult female didn't use common sense and had a nude picture of herself saved in her email. Somehow (she presumably followed some of the bad habits listed above) her email account was compromised and the picture appeared on a Revenge Porn website along with her name, address, link to her Facebook profile, and employer information. How would you like it if this was you or a family member?
Conventional Online Wisdom No Longer Applies
How can you protect yourself? Here's a few guidelines you can follow:
Keep Informed
I am not an expert and this blog post should only be considered a call to action instead of a definitive guide. Find an expert online and follow their lead. My expert of choice is Troy Hunt. Follow him on Twitter, read his blog, and do what he says. A lot of the stuff he explains on his blog is confusing even to an IT professional like me, but if you can gleam a general understanding of what he's talking about then you will be better off.
Use Common Sense
As mentioned in the story above, a person saved a nude picture of herself on her webmail account. Come on. Everything you put on the web is public information and you can never get rid of it. Everything you say, everything you post on Twitter, every email you send is now fair game. Post wisely.
Use Password Management Software
This is a big one and it's probably going to cost you a little money. The best case scenario with password complexity is having a password so complex that there's no way you can possibly memorize it. All of my passwords are similar to the following: *8=48t9+7[63Y3>]:76/#z%$4Q@G&T97i)(.3}2?4296C,2o^D. Got that? And no, they are not written on a piece of paper taped to my monitor.
There are a lot of password managers out there that claim to be the most secure, but how can you be sure? Following the recommendation of expert Troy Hunt, I use 1Password. It was a little tough swallowing the fact that I was going to have to drop some hard earned cash on it, but it has several great features, was highly recommended, and has mobile apps. The Windows version is a little rough at the moment but a new version is going to be released soon. I was told that if I bought now that I would obtain the new version when it was released, but I would urge you to contact their support and get the same assurance personally. I'm not going to go into the features and how I use it as their documentation is superb. Try their 30 day trial; you won't want to stop using it.
Also, since you probably are maintaining 3,754 work passwords, I don't think it's out of the realm of possibility for you to suggest to your employer that they pick up the tab on password management software. After all, they probably have more to lose from a data breach than you do.
Here are some other recommendations I routinely hear mentioned:
Don't Trust Password Strength Meters
If you use password management software like I recommended above, this is probably a moot point because you're presumably generating very complex passwords. If you're not, you shouldn't put your trust in those little funky gauges telling you that your password is secure enough in their opinion. Would you trust a random stranger to analyze your home security?
Use haveibeenpwned.com
Use it. Love it. Sign up for notifications. Tell your employer to sign up for domain wide notifications. And thank Troy Hunt on Twitter for building it and making it available for free.
Use Credit Cards Only Online
Do not use debit cards online. They do not provide the level of support and protection as the big credit card companies. Do research on the credit card you use and ensure they have ample safeguards against stolen credit card numbers.
Demand Safe Practices
After I started using a password manager I was surprised at the number of websites that limit the max character length of passwords to anything below 50 characters. The developer in me questions their password hashing process if they care about password length. If you run into this on a company's website, push the issue publicly on Twitter.
Some websites even limit the special characters you can use in a password. This is ridiculous and downright reckless on their part.
Most noticeably (probably because I ran into it this week) the popular credit card processor Authorize.Net doesn't let you use
certain special characters in your password. On a website dedicated to security. That secures credit card information.
Also, under no circumstances should a Forgot Your Password function ever provide you with your current password. It should always, always, always force you to change it to a new password. If a website can provide you with your current password, it means they are not storing it in a secure way. Call them out in public on Twitter. Money talks - take your business elsewhere if necessary.
Summary
Hackers are always looking for the easiest targets. If they need to spend too much time on you they will more than likely move along to the next person. A few safeguards can make you infinitely more secure on the internet. Have any questions or suggestions? Post them below. Like I mentioned, I'm not security expert but I can try to get you pointed in the right direction.