Are your passwords so easy that a seven year old can figure them out?
In 2012, Dropbox verified that the user information of 68 million Dropbox users was stolen. This information included both usernames and passwords. Though Dropbox was aware of this breach, there was no evidence at the time that any accounts had been accessed with the stolen information. Upon discovering that user information was stolen, Dropbox tried to fix the problem. All users with accounts at the time were urged to change their usernames and passwords. Dropbox also offered a two-factor authentication solution and advised users to avoid reusing passwords across different websites.¹ Unfortunately, many Dropbox customers ignored the warning.
Now, 4 years later, it has been discovered that the usernames and passwords were not only stolen, but also have been leaked on the internet.¹ All user information is now available to the general public for a small amount of money. If someone’s user information is purchased and that same password is used on another website, then important personal information is at risk.
In order to combat security problems like this, here are some tips on protecting your online accounts:
- Update passwords: Ideally, passwords should be changed every 6 months. Frequently changing passwords reduces the chances of a brute force attack on your account. A brute force attack is a trial-and-error process that uses logic to try many different combinations of characters and guess your password.
- Password strength: It was revealed that the 2012 LinkedIn breach included millions of accounts that contained very easily cracked login credentials. At the top of the list was “123456” (appearing over 1 million times) followed by other equally simple passwords like “linkedin” and “password”.² A random assortment of characters is a lot harder to crack than a simple password or one that contains words in the dictionary. Research has found that a password strength meter can result in longer and stronger passwords.³
- Different passwords: One of the main problems in this breach is the reuse of passwords across multiple websites. The origin of this Dropbox leak was the “result of the reuse of a password a Dropbox employee had previously used on LinkedIn.”⁴ When LinkedIn was breached, hackers used this Dropbox employee’s LinkedIn credentials to to gain access to the Dropbox corporate network where they had used the same password.
- Two-Factor Authentication: Two-Factor Authentication is an extra layer of security when logging into an account. Not only do you enter your username and password, you are sent a text message to a mobile phone or tablet with a pin number. You can choose to have a confirmation email sent to an account of your choice for authentication. Another solution is Google authenticator that produces new pin numbers every minute. Upon opening the app you are given a 6-digit pin number to enter and authenticate your login.
- Backup: For online accounts that contain information that is important to you, we suggest you back up this information. For example, a website that tracks business transactions holds important information about your business and clients. Information like this should at least be locally backed up either to your computer or external hard drive.
Security measures can also be taken on a company-wide scale. When training employees on policies and procedures, password security should be included. Password training should cover how to come up with a strong password. A common practice now used in organizations is the idea of “passphrases”. With passphrases, you come up with a phrase and use the first letter of each word in the phrase to create a password. For example, the phrase “Mary had a little lamb” could become “Mh@ll”. These types of passwords are effective because they do not contain words in the dictionary. They are also a lot easier to remember because you can choose your favorite quote or lyrics.
Password training should include password security. Employees should be advised against using the same passwords across multiple websites and applications. Using the same password for different accounts increases the chances of accounts being hacked. If one account is compromised, all other accounts with that same password are at risk. Password security also includes policies about unsecured passwords. Passwords should never be written down or saved in the “Notes” application on your phone. If necessary, a password manager like LastPass,1Password, or Zoho is a good solution. These programs are safer because the information is encrypted, and they generate strong passwords. You only need to remember one master password.
Conclusion
Weak passwords are just low hanging fruit in the eyes of hackers. Practicing good password hygiene does not take much work, but it does help protect your accounts. Events like the Dropbox or LinkedIn breach remind us of the importance of our account passwords. Follow the tips above to secure your accounts and protect your information online.