Tuesday, June 12, 2018

New INC Magazine Blog Post by Kaplan Institute Exec Director Howard Tullman


Don't Make Me Repeat The Password Lecture Again
In a world where we're reliant on third party WiFi, we all need to do a better job at protecting our data. The penalty for not being vigilant is growing every minute.





Executive director, Ed Kaplan Family Institute for Innovation and Tech Entrepreneurship, Illinois Institute of Technology @tullman




Any entrepreneur or road warrior hears some new horror tale about hacks, scams and identity thefts just about every other week. Interestingly enough, these are usually fairly-credible, peer-to-peer conversations rather than media scare stories. Most recently, I've heard half a dozen versions of complaints and some serious instances of financial losses based on the porous and insecure nature of hotel and airport WiFi.  In fairness, these providers couldn't make it any clearer or disclose the risks more directly on their websites-- these are not the usual disclaimers buried in the T&Cs.  Unfortunately, we don't really have much in the way of connectivity choices when we're on the road. You can carry your own hotspot or use your phone and run down your battery, but the vast majority of us aren't gonna do that. So, the trick is to figure out what you can do, realistically and practically, to protect yourself.
As we're forced to rely more and more on third-party-provided WiFi, and it becomes increasingly ubiquitous, the scale of the security problems and the prospective losses are only going to continue to grow. And honestly, as long as it's not happening to a family member or a relative, we've gotten so accustomed to these commonplace tales of woe (and worse) we tend to dismiss them as the risks of the road. In addition, I have to admit that we stupidly assume (and often think smugly to ourselves) that the victims must have been lazy, sloppy or careless and that this kind of stuff could never happen to us. Until it does; and then, of course, it's too late.

My humble suggestion is that now's the time to start thinking about how to be smart about the situation before you have to be sorry. My thought is simple: if you can't control the pipes, try to control and protect your passwords. Yes, I know that you've heard this lecture a million times before and yet most of us are too "busy," too lazy, or too uninformed to actually invest the modest amount of time that it takes to substantially boost the odds in your favor. In this context, I'd say that being too busy is, in fact, just another word for being lazy. There's not much I can do to help anyone unwilling to help themselves.

It would take about an hour to follow a few basic steps to improve your password protection while it can take weeks to repair and try to restore your credit and financial identity if you get hacked. You should take the time to do the math. And, for now, I'm just going to focus on the facts of life these days and then you can decide how to proceed.
First, the guys on the other side are getting smarter, faster and a lot nastier. They're growing in numbers, the hacks are easier to accomplish, and they're better equipped-- especially because the tech and capital requirements to take your money are trivial. In addition, ploys and scams are spreading and being shared across markets and even countries at a very rapid rate because of the increased communications and connections across the dark web.
 Second, we suckers continue to make it easier and easier for the bad guys to break in. The most frequently used password today is still "123456". Fifth on the list is "111111" and No. 8 is "password."  It takes most brute-force hacking programs less than a few seconds according to a recent survey to figure out any password of 6 characters or less and more than 40% of all passwords today are 6 characters or less.  Other very popular passwords are equally infantile including: "qwerty" and "123123".  And more than half of us use the exact same password on multiple sites so once the hackers are in, they can move quickly from site to site.
And finally, the middlemen (hosting services, connectivity providers, social platforms, etc.) aren't doing jack to help us help ourselves by requiring us to be smart about our personal security. They don't care if you get ripped off as long as you can always get right back on their service or network with the least possible friction and in the shortest amount of time. Every six months, some of these services make you change your password, but they don't insist upon or enforce even the most basic complexity requirements.
What should you do?
The best and smartest thing to do is to use a password manager/vault, a single location for all your passwords that requires only remembering one password--hopefully one with a minimum 8 characters with a number, letter, capital letter and a symbol as part of it. There are several players in the space, but Keeper Security (keepersecurity.com) has one of the biggest user bases and is the best for my money because it provides both individual and enterprise-level solutions. More importantly, Keeper Security employs a zero-knowledge approach, which means that the site has no idea what's in your vault or any ability to get at it. You spend less than an hour and build an Excel spreadsheet with all your stuff (which you probably already have) and then it's imported into your Keeper vault and the next time you visit one of your regular sites, the Keeper system will automatically supply the appropriate sign-in data.

The next best thing to do is to bite the bullet and adopt two-factor authentication (2FA), which I admit can be a pain in the butt on a plane or if you're not connected somehow, but otherwise it's as easy as pie. This is another simple way to deploy an additional layer of protection and just requires that you take an extra minute to enter a security code sent to your phone to confirm that it's actually you trying to get into your site. For sure, this is an essential fix for your primary social media sites because they are the connectors and links to many other sites where you used Facebook Connect or something similar for Twitter to sign into a bunch of third-party sites.  Biometric security such as facial recognition and fingerprint readers, which are also 2FA, are becoming more prevalent, too, but that's a subject for a future column.
Right now, a password vault and a 2FA are quantum leaps in de-risking your online exposures and a very small price to pay (in terms of time and treasure) to avoid major headaches. And, if you're like everyone else and somewhat intimidated by the length of your password list (or never heard of Excel), at least work on the top five sites you visit all the time and get those fixed and protected. It's a 99/1 world in terms of anyone's web activity (we go to the same, very few, places almost all of the time) so, if you at least pay attention to the most important sites, you've got a fighting chance of dodging a bullet.  But the smart money is still on the hackers and it's not really a question of "if", it's just a question for most of us of "when". I'd rather be safe than sorry.
The opinions expressed here by Inc.com columnists are their own, not those of Inc.com.


PUBLISHED ON: JUN 12, 2018