There is a continuing increase in data breaches for small businesses, and owners need to secure their business and personal accounts from hackers. This cyber personal security threat is aggravated by how cybercriminals often use LinkedIn and other social media profiles as a gateway into a company, where they can gain illicit access to megabytes of sensitive data.
A few years back, Mark Zuckerberg learned this lesson the hard way. A reported LinkedIn hack led to the exposure of additional accounts belonging to the Facebook (Meta) CEO. Despite his presumed savvy — he is the world’s #1 social media magnate — Zuckerberg reportedly committed multiple fatal errors, including using an easy-to-crack password (dadada) on multiple accounts.
Elementary no-nos include using common words and the same password for more than one account. But other common mistakes are often made by otherwise knowledgeable users who do not want to memorize lengthy sign-in codes. For example, NSA, the FBI, and other security agencies have noted that the Russian General Staff Main Intelligence Directorate’s Russian (GRU’s) Main Center for Special Technologies has released malware targeting Americans and other users. So repeating passwords is even more dangerous now that hackers are more sophisticated.
The good news is that securing accounts is not difficult. One simple measure is multi-factor authentication (MFA), which requires at least two independent factors to log into an account. One factor may be a password, and the second could be a one-time passcode sent to the user’s phone. This way, the account will still be safe even if one factor is stolen.
Another solution is to increase the length of the initial password or PIN (Personal Identification Number). 7777 is one of the most common — and therefore easily guessed PINs. However, many devices now support PINs that are longer than four digits, and just by adding a few more numbers, there is a big difference because of the math involved. For example, a four-digit PIN has only 10,000 unique combinations, but a six-digit PIN has 1,000,000.
Some devices support alphanumeric PINs or passwords that make it even harder for hackers. Users can make the process simpler by utilizing words or phrases that are meaningful to them but not generally known to others; therefore, easily cracked combinations like birthdays, anniversaries, personal phone numbers, and street addresses should be avoided.
The Longer, the Better
Like numeric PINs, longer passwords are better. Consider an eight-character password like betashow — an attacker with access to sophisticated software tools could crack this password instantly. But if four characters are added, perhaps making it betashowbest, it would take a hacker about two weeks (maybe less) to guess this 12-character password. However, when adding eight more characters like betashowbestshipping, it will take about 21 centuries for an attacker to crack this 20-letter password. That is a big return for a small effort.
Creative passphrases — longer passwords composed of multiple random words — can also slow down hackers. There are simple ways of making passwords longer, like “swiftest tropical downhill ski,” “walking on oranges,” or “BrieflyMoreDiamond.” Of course, these specific phrases should not be used since they have now appeared in a widely distributed publication. Although passphrases are harder to crack, they do not have to be hard to remember since a user may create pictures in their mind as a reminder, like “blue nose on a purple brick wall.”
Combinations can be created from diverse situations. Like when you have a noisy coworker, that situation could give rise to a passphrase like, “I can hear Bill from across the office!” It is fine to use words or phrases that jog a personal memory, but words that are related to each other, like the passphrase “gentle ocean breeze,” should be avoided because they are guessed easily. Instead, a stronger yet memorable phrase might be “laptop blueberry car.”
Set Down Some Rules
Creating passwords and passphrases is only part of a solution since it is also important to know and follow an organization’s policy when creating them. A company, for example, may require a minimum character account, a mix of alpha and numeric characters, or special characters. These security requirements may make it a bit more difficult for a user, but they will also make it tougher on hackers.
With all these requirements, some people may fear that they will be unable to remember a unique password for every device: a laptop, desktop, iPad, mobile device, business laptop, and more. But there is a solution: utilizing a password manager — a software application that securely stores and manages online credentials. It sits behind a master password — so there is only one password to remember — and the manager automatically generates new passwords every time the user logs into a device.
A password manager is like a secured vault: once all of the account usernames and passwords are in the vault, the master password is the only one that needs to be committed to memory. Entering this master password unlocks the password vault and from there, the user can retrieve whatever password they need.
The security of developing a password or passphrase will be defeated, however, if a user writes them down. A hiding place may appear to be good, but experience has shown that there is a good chance someone will find the password, master password, or PIN. Similarly, passwords, PINs, and other login information should not be stored on the device itself, even if it is encrypted. And a user who sends their PIN or passwords to themselves through email or text is inviting trouble.
Another best practice is to never share a password or PIN because one can never be certain that someone else will keep their credentials secure. If a user has previously shared their password or PIN, they should change it as soon as possible.
Finally, “shoulder surfing” — when a cyber-thief watches someone enter a password or PIN so they can lift it — is also a big concern. Users should be vigilant and aware of their surroundings before entering passwords, master passwords, passphrases, or PINs.
These and other security measures take time and effort to develop and deploy, but digital data can be worth its weight in gold. With more threats developing every day, it is only reasonable to take more precautions to safeguard this treasure.
Security Awareness Training
Reduce phishing attacks and malware infections.
Passwords are no longer enough.
MXINSPECT Email Defense
Complete Defense Against Today’s Email Threats