Don't Make Me Repeat The Password
Lecture Again
In a world where we're reliant on
third party WiFi, we all need to do a better job at protecting our data. The
penalty for not being vigilant is growing every minute.
Executive director, Ed Kaplan Family Institute for Innovation and
Tech Entrepreneurship, Illinois Institute of Technology @tullman
Any entrepreneur or road warrior hears some new horror tale
about hacks, scams and identity thefts just about every other week.
Interestingly enough, these are usually fairly-credible, peer-to-peer
conversations rather than media scare stories. Most recently, I've heard half a
dozen versions of complaints and some serious instances of financial losses
based on the porous and insecure nature of hotel and airport WiFi. In
fairness, these providers couldn't make it any clearer or disclose the risks
more directly on their websites-- these are not the usual disclaimers buried in
the T&Cs. Unfortunately, we don't really have much in the way of connectivity
choices when we're on the road. You can carry your own hotspot or use your
phone and run down your battery, but the vast majority of us aren't gonna do
that. So, the trick is to figure out what you can do, realistically and
practically, to protect yourself.
As we're forced to rely more and more on third-party-provided
WiFi, and it becomes increasingly ubiquitous, the scale of the security
problems and the prospective losses are only going to continue to grow. And
honestly, as long as it's not happening to a family member or a relative, we've
gotten so accustomed to these commonplace tales of woe (and worse) we tend to
dismiss them as the risks of the road. In addition, I have to admit that we
stupidly assume (and often think smugly to ourselves) that the victims must
have been lazy, sloppy or careless and that this kind of stuff could never
happen to us. Until it does; and
then, of course, it's too late.
My humble suggestion is that now's the time to start thinking
about how to be smart about the
situation before you have to be sorry. My thought is simple: if you can't control
the pipes, try to control and protect your passwords. Yes, I know that you've
heard this lecture a million times before and yet most of us are too
"busy," too lazy, or too uninformed to actually invest the modest
amount of time that it takes to substantially boost the odds in your favor. In
this context, I'd say that being too busy is, in fact, just another word for
being lazy. There's not much I can do to help anyone unwilling to help themselves.
It would take about an
hour to follow a few basic steps to improve your password protection while it
can take weeks to repair and try to restore your credit and financial identity
if you get hacked. You should take the time to do the math. And, for now, I'm
just going to focus on the facts of life these days and then you can decide how
to proceed.
First, the guys on the
other side are getting smarter, faster and a lot nastier. They're growing in
numbers, the hacks are easier to accomplish, and they're better equipped--
especially because the tech and capital requirements to take your money are
trivial. In addition, ploys and scams are spreading and being shared across
markets and even countries at a very rapid rate because of the increased communications
and connections across the dark web.
Second, we
suckers continue to make it easier and easier for the bad guys to break in. The
most frequently used password today is still "123456". Fifth on the
list is "111111" and No. 8 is "password." It takes most
brute-force hacking programs less than a few seconds according to a recent
survey to figure out any password of 6 characters or less and more than 40% of
all passwords today are 6 characters or less. Other very popular
passwords are equally infantile including: "qwerty" and
"123123". And more than half of us use the exact same password
on multiple sites so once the hackers are in, they can move quickly from site
to site.
And finally, the
middlemen (hosting services, connectivity providers, social platforms, etc.)
aren't doing jack to help us help ourselves by requiring us to be smart about
our personal security. They don't care if you get ripped off as long as you can
always get right back on their service or network with the least possible
friction and in the shortest amount of time. Every six months, some of these
services make you change your password, but they don't insist upon or enforce
even the most basic complexity requirements.
What should you do?
The best and smartest thing to do is to use a password
manager/vault, a single location for all your passwords that requires only
remembering one password--hopefully one with a minimum 8 characters with a
number, letter, capital letter and a symbol as part of it. There are several
players in the space, but Keeper Security (keepersecurity.com) has one of the biggest user bases and is the
best for my money because it provides both individual and enterprise-level
solutions. More importantly, Keeper Security employs a zero-knowledge approach,
which means that the site has no idea what's in your vault or any ability to
get at it. You spend less than an hour and build an Excel spreadsheet with all
your stuff (which you probably already have) and then it's imported into your
Keeper vault and the next time you visit one of your regular sites, the Keeper
system will automatically supply the appropriate sign-in data.
The next best thing to
do is to bite the bullet and adopt two-factor authentication (2FA), which I
admit can be a pain in the butt on a plane or if you're not connected somehow,
but otherwise it's as easy as pie. This is another simple way to deploy an additional
layer of protection and just requires that you take an extra minute to enter a
security code sent to your phone to confirm that it's actually you trying to
get into your site. For sure, this is an essential fix for your primary social
media sites because they are the connectors and links to many other sites where
you used Facebook Connect or something similar for Twitter to sign into a bunch
of third-party sites. Biometric security such as facial recognition and
fingerprint readers, which are also 2FA, are becoming more prevalent, too, but
that's a subject for a future column.
Right now, a password
vault and a 2FA are quantum leaps in de-risking your online exposures and a
very small price to pay (in terms of time and treasure) to avoid major headaches.
And, if you're like everyone else and somewhat intimidated by the length of
your password list (or never heard of Excel), at least work on the top five
sites you visit all the time and get those fixed and protected. It's a 99/1
world in terms of anyone's web activity (we go to the same, very few, places
almost all of the time) so, if you at least pay attention to the most important
sites, you've got a fighting chance of dodging a bullet. But the smart
money is still on the hackers and it's not really a question of "if",
it's just a question for most of us of "when". I'd rather be safe
than sorry.
The opinions expressed here by Inc.com
columnists are their own, not those of Inc.com.
PUBLISHED
ON: JUN 12, 2018
