Six Practical Tips For Password Security
By Lacey Shrum
Most people have had their primary email for 10+ years. Think about the value that is in your inbox and the access it provides. Forget your password? Link is emailed. Made a trade in your brokerage account? Confirmation is in your email. What did you buy in May of 2016? It has probably long been trashed, but its receipt ghost lives on in your inbox. Set up a meeting, confirm the location, and postpone at least once? All through email.
Like it or not, your email and various other usernames/logins are a significant part of your identity and should be treated as and protected like an asset. Here are some tips for protecting your digital self:
Check It Twice
Use two-factor authentication through an app like Google Authenticator or a physical device like Yubico for sites that provide it, specifically banks, social media, and email. A two-factor authenticator is a second password that is generated in real-time by the app or device that is used in conjunction with your regular password. You can download the app on your phone and when you log in to a site, you will be required to present your password and the random number generated at the time of the log-in. This ensures that if your password is compromised, a malicious actor will not be able to gain access.
Use authentication-by-text-message wisely. Most sites have a “text code” service that will send you a text with a randomly generated number, similar to an authenticator above. Text authentication is not a true second factor and can easily prove worthless. Through SIM porting (using your SIM card to access your phone number and use it on your behalf- actually quite easy), a malicious actor can easily take advantage of this seemingly “best practice” by intercepting the text on your behalf and easily logging in. Always use Google authenticator or a hardware device if available.
Consider safe storage for your passwords in a manager. A password manager like Lastpass or another option will generate randomized and secure passwords and store them safely, accessible to you by one master password. I do not use Google to store passwords (even though it asks me often) because I like to segregate use from my passwords. It adds an extra click or two to log in, but Google already knows everything about me, it does not need to know my passwords too. Bonus points if you said, “BUT WAIT, aren’t you creating a ‘honeypot’ of passwords that, if compromised, would be detrimental?” The answer is yes, but this option is significantly safer and more favorable than its alternatives – writing them down, using the same passwords, or (the WORST) creating a spreadsheet titled “passwords.”
Use strong, randomized, and differing passwords. When systems are compromised, a list of logins and passwords are often sold and/or posted online. It is common for hackers to take an email and password combo, or simple variations of that password, and use it at multiple sites to attempt to gain access, with the hopes that the user used the same or similar passwords each time. Each login should have a different password that is random and bears no resemblance to another password linked to that email address. A password manager will randomly generate these passwords for you. Do not use a series of “different” passwords like “CowboysSuperBowl2018,” “CowboysSuperBowl2019,” and “CowboysSuperBowl2020PLEASE.”
Never, ever, ever plug your phone into a cable or usb device that is not yours. This means do not use the convenient cable in the Uber, airport, or this friendly NSA stand. Data is transferred over this cable and can be done so unknowingly to you. Carry your own cable and your own plug-in box.
Special Purpose Address
Use a separate email for highly sensitive logins, like your bank, brokerage account, government logins, and the like. Keep this email on lockdown and ensure two-factor authentication is enabled.