Every day, along with each new data breach, another barrage of emails warns you to change your password, batten down the hatches, and deal with online security. We recommend that you abandon the notion that the password is the panacea. Earlier this month, Twitter released a statement that they accidentally unmasked the passwords of all of their users. This data breach had nothing to do with hackers. Twitter made your password public by accident. How did it happen? Experts are still scratching their collective head and trying to figure that out. Here at MI:33, this event made one thing clear. The password can no longer be the layer of protection between the good guys and the bad guys. Passwords can only be a part of several layers as laid out below:
Create a different password for every website. No exception! This may sound like a massive undertaking but it isn’t. We at MI:33 utilize a tool called LastPass that is free for personal use and inexpensive for businesses. LastPass, and other password managers like it, enable users to create and save different secure passwords for every website visited and also automatically fill them in when prompted. It is important that you only use a password manager that uses the latest in encryption.
This will require you to always have a physical key available when you are accessing your password manager. For example, we at MI:33 have each programmed a Yubikey to work with our LastPass account. This means that every MI:33 employee needs to have their Yubikey (which is attached to their keychain) present when accessing their passwords. The nice thing about this feature is that the key can be used on a third-party computer if the user is not at home or with their personal device.
Multi-Factor Authentication (MFA)
At least two factors is a must. This feature is available with most online tools including email providers and social media accounts. When enabled, two-factor authentication will force any user to provide an additional code other than a password. This additional code will be sent to your mobile device and, in turn, require any user to have your mobile device present at all times in addition to your user name and password.
Variable User Names
You have an advantage when your email address does not double as your user name. If you have already implemented utilizing LastPass, you won’t need to remember multiple user names either. Our website and router are attacked daily. Even though the password is attempted each time, the user name is also needed. No matter your device or internet service, you should create an administrator user name that is not predictable, then delete the default admin user name. As far our computer networks are concerned, we use code names. If a hacker finds their way into our network, they won’t be able to easily determine whose terminal they are breaching. For example, we use the seven dwarfs. Each employee knew their terminal’s name, but an intruder had no idea. Why make it easy for the bad guys?