In the first six months of 2014, there have been 404 reported data security breaches causing more than 11 million personal records to be exposed by organizations. This is a 20 percent increase over the same time period in 2013! Are you at risk? Take a moment to answer these questions:
- Do you carry your Social Security card I your wallet or purse?
- Do you have your Social Security Number printed on your personal checks?
- Do you ever leave mail for pickup in an unlocked location at home or at work?
- Do you own a cross-cut shredder and use it regularly?
- Have you ordered a copy of your free annual credit report during the last year?
The correct answers to these questions are “yes” for numbers 1–3 and “no” for 4 and 5. If you didn’t score 100 percent, we recommend you take a look at our new white paper, Protecting Your Personal Identity in a Digital World.
By now, most U.S. businesses have heard about the breach of 1.2 billion credentials by a Russian computer crime gang dubbed CyberVor. In the time since the original New York Times report, the accuracy and severity of this alleged crime have been called into question.
Industry best-practices for password security can mitigate the risk of being affected by computer crimes, but not all businesses and individuals follow these guidelines. Instead of trying to determine the actual impact on your business, let’s start with a simple assumption: Somewhere, somehow, your passwords have been compromised. What to do?
First, change your passwords for all your online accounts. This is a commonly neglected practice, leading to increased impact in the event of a breach. The longer a password is unchanged, the wider the window for an attacker who’s stolen that password. All passwords should be changed on a regular basis, and each password should be different enough to prevent guessing attacks.
Second, select your new password carefully. End users of technology are used to being told that their passwords must be complex, but it’s easier to create a long password by using phrases instead of just words. Such a password could be a full sentence that means something to the user with numbers and symbols appended to the end. Alternatively, a user can just use the first letters of each word from a memorized phrase. The password should be long. This is important because many high-profile password breaches aren’t the plain text password itself but rather a mathematical representation of the password called a “hash.” Malicious hackers have ways to guess password hashes and compare them to the stolen hash to see if they match. By choosing a very long passphrase instead of an ordinary password, this recovery process becomes much more time-consuming for the bad guys. In fact, by the time the password is recovered, the diligent user will have changed the password already!
News of computer security breaches causes alarm and renders users unsure of the next step. However, diligent users will assume their passwords are going to be breached eventually and act accordingly. Such password “dumps” are static in time and often require cracking effort by the attackers. By changing passwords regularly and using difficult-to-crack passphrases, businesses and individuals alike can mitigate the most common and damaging risks in today’s e-commerce environment.