Update that password!
By Morf Morford
Tacoma Daily Index
For better or worse, passwords – and even the whole idea of passwords – define our era.
To work, access social media or buy anything online, you need a user name and a password.
A user name can be something approximating your actual name. Your online user name is essentially your public face to the internet – your front door, if you will. The password, at least in theory, is the key to your front door. Your password is the one feature that keeps us (relatively) secure.
At least in theory.
Password weakness and vulnerability is the stuff of legend in all kinds of stories and personal encounters.
Passwords are the ultimate weak link in our online presence.
Password “leakage” is a problem, an embarrassment or even a small catastrophe for us as individuals, but for those companies or agencies that hold millions of accounts or have access to crucial data or financial records, the impacts can be disastrous beyond imagining.
Just in 2019 we saw Facebook in back-to-back incidents, admitting to both exposing passwords belonging to hundreds of millions of users, and breaching user privacy by asking for the email passwords of new users and harvesting contacts without consent.
The tech giant brought giant problems on itself by storing account passwords in plaintext within its internal data storage systems for years, violating a security best practice followed by most companies and services to protect user data from prying eyes.
And then, later in the year, the company also left a server unprotected without a password, exposing phone numbers and records of over 400 million users.
For a company under increasing scrutiny for how it handles its accounts, the lax, if not outright clumsy, security is difficult to believe.
Facebook is not alone. Not to be outdone by its fellow FAANG’s (Facebook, Amazon, Apple, Netflix and Google) failure, Google also confessed to accidentally storing the passwords for a percentage of its G Suite users in plaintext – since 2005.
Plaintext passwords give cybercriminals plenty to go on – they can access user accounts and wreak havoc on digital lives through credit card fraud or identity theft.
“Accidents” like this have major implications for platforms and their users; breaches can go undetected for years, so you never know when an account might have been exposed.
Public figures of all kinds, from Hollywood celebrities to politicians are in the spotlight almost continually.
For most of them, you don’t need to be a master hacker to discover their password.
Congressman Lance Gooden is a perfect example. Apparently, Congressman Gooden didn’t learn from the mistakes of last year’s worst password offender, Kanye West, who unlocked his iPhone with the passcode “000000” during his infamous White House meeting with President Trump.
In 2019, during the televised testimony from Mark Zuckerberg before the House Financial Services Committee, the Republican representative from Texas was caught on camera using “777777” as his password.
He isn’t the only person in politics over the years to commit passé password offenses, which have many calling into question the basic security understanding of elected or appointed officials.
Rudy Guiliani, who was named cybersecurity adviser in 2017, went to an Apple store for help unlocking his iPhone after he had entered the wrong passcode more than 10 times.
Ellen DeGeneres – and a few other public figures – reminds us – Do not use “password” (or any form of the word) as your password!
Never use passwords that are easy to guess or that contain names, proper nouns, or things (like nick names or pet names) people can easily research about you. All your passwords should be longer than eight characters and include a mix of random letters, numbers, and symbols. Even better, use a password generator to come up with them for you.
Practice good password hygiene
I know that it is a nuisance, but use different passwords for every account: Password reuse is an epidemic. Repeating the same password across your accounts is a lot like using the same key for your house or your car. If someone gets a hold of those keys, they now have access to everything you want to keep safe. Hackers can use passwords from compromised accounts to easily access other accounts. The only protection against this is to have a different password for every account.
Turn on two-factor authentication (2FA): 2FA is a feature that adds an additional “factor” to your normal login procedure to verify your identity. 2FA adds an extra layer of security by verifying your identity using two of three possible identifiers: something you know (your password, PIN number, zip code, etc.)
Get a password manager. Now. A password manager is literally the only way to safely and conveniently manage wildly complicated and unique passwords for an unlimited number of accounts, while providing automatic logins and secure autofill of personal and payment information.
January is a time when many of us take the time to consider, or reconsider, our priorities and actions.
Password security is certainly one of those areas.
Don’t limit password review to January however.
The threat to all of us, from institutions to government agencies to individuals or churches is constant.
I know someone who recently retired from IT for a major government contractor whose office changed their passwords every 45 minutes.
You shouldn’t have to do that, but keep that password, at minimum, a moving target.