How to Protect Your Accounts and Passwords from Getting Hijacked
If you’re like most people, you use the Internet for just about everything: shopping, banking, bill-paying, communicating with friends and family…the list goes on and on. The convenience of being able to manage so many aspects of your life from your computer or smartphone is simply unbeatable. However, most people also don’t realize the very real risk of a security attack that could wreak havoc on their everyday life.
Should someone hijack one of your accounts or passwords, the results could be devastating. The attacker could access highly sensitive information—including bank account information, personal data like your home address and social security number, all of your photographs, sensitive documents from your job, and more. Even worse, many people use similar passwords for several or all of their accounts—meaning if a hacker can gain access to one of your passwords, he may be able to crack more of them.
As a password security consultant, I’m constantly reminding my clients about these risks—not as a scare tactic, but because I’ve seen real-life “horror stories” of people having their identities and credit cards stolen. More importantly, I know that by following a few security “rules,” people can greatly reduce their risk of a security attack or password hijacking.
Many of the clients I work with are eager to improve the security of their passwords and networks, but are unsure of where to start. Below are some of the most common questions I hear about password and Internet security.
How do I choose a strong password?
Passwords should be complex and, most importantly, hard to guess. Never use a password that contains the word “password,” your name, the name of the site or application, or an easy-to-guess sequence of numbers like “123.” Use a longer password that contains upper- and lower-case letters, digits, and punctuation. Always change the default password that an application or site provided to you, and never use an old password again. Passwords should be changed regularly, at least every three months.
But I have, like, a thousand passwords. There’s got to be an easier way.
There is. Password management systems allow you to control all of your passwords from a centralized program and automate time-consuming security tasks like new password generation, the automatic changing of passwords after a certain amount of time, and password encryption.
What is multi-factor authentication? I saw that Google and Facebook are now offering it.
Multi-factor authentication (MFA) is a type of security authentication that requires users to present at least two of the three security “factors”: something you know (like a password or PIN), something you have (like a one-time code generated from a token device or mobile app), and something you are (like a fingerprint).
In the event that one of your passwords is compromised, an external hijacker wouldn’t be able to provide the second form of authentication needed to access your systems. Because of this, using multi-factor authentication greatly enhances the security of your accounts and programs, making them nearly impossible for outsiders to attack.
What is two-factor authentication?
Two-factor authentication (TFA) is a type of multi-factor authentication. While MFA refers to three or more of the security factors, by definition, TFA requires only two.
But I’ve never had to use multi-factor authentication before.
Actually, you probably have. If you’ve ever used an ATM, you first had to enter your bank card (something you have), and then enter your PIN (something you know). This is a great example of TFA.
What’s the easiest method for multi-factor authentication?
There are many options for implementing multi-factor authentication in your system. In the past, external devices (like hardware tokens on which one-time passwords are displayed) and smartcards were among the most popular options. However, the explosion of smartphones and portable devices on the market has made “soft tokens” the top choice for many users. With soft tokens, users can generate a one-time password using a secure app on their mobile phone or tablet. Many of the clients I’ve worked with have found the combination of a required password and soft token to be the most cost-effective and convenient multi factor authentication software solution.