A billion stolen passwords sounds like a lot, but it’s no cause for alarm. After all, you knew passwords weren’t keeping your money or information safe, right? Back in 2005…yes, nearly 10 years ago…the FFIEC (government banking regulators) said passwords were inadequate protection for financial institutions.
What does the Hold Security billion-password story mean for you? One thing it does NOT mean: It shouldn’t inspire you to go to Hold, or any other service, and register for an identity protection product. That’s not necessary. If you have been using standard password hygiene, such as changing your critical passwords with relative frequency, and used them in combination with a second authentication factor, there’s very little to worry about. So don’t register to see if your password is in their list. Just change your password if you are nervous.
How do I know the risk is low? The hackers who have amassed this pile of data are using it largely to send out spam, according to the New York Times. If it were easy to steal money with the data, you can bet the criminals would be doing that instead. Spam is hard work.
It’s easy to believe a crime ring has amassed a billion passwords. After all, in one incident two years ago, LinkedIn leaked more than 6 million passwords online. With roughly 20 years of websites forcing users to create passwords now, and 20 years of security gaffes, a billion doesn’t sound like a lot to me.
It’s important to note that login procedures are only one way that consumers are protected when they bank online, and it’s not even the most important way. Back-end systems employed by financial institutions catch unusual transactions — such as the sudden urge to move $10,000 to a bank in Romania. This layer of tools are far more effective at stumping bad guys.
Still, this latest reminder that passwords aren’t a great way to keep your stuff safe is a good opportunity to do a review of your personal security habits and make sensible adjustments. Here’s a few suggestions:
* Change your passwords. It’d be great to do it once every 60 days or so, but you probably won’t. How about every daylight saving time change, when you check your smoke detector batteries?
* Pick harder passwords. Easy to remember but hard to guess, yea right. Well, security pros use a trick: The passphrase. Pick a sentence and use the first letter of every word. For example: “I was born on Nov. 30” would be IwboN30. (I wasn’t, btw). If you want to be real clever, add a special character or two into that, like !wboN30 (For more on this technique, visit Bruce Schneier’s site.)
* Pick different passwords. I know you probably use the same passwords at various websites; you’d go insane if you didn’t. But at least use different passwords for critical sites, like your brokerage website. And think carefully about what a critical site is. Do you use Amazon’s one-click purchasing? That might as well be a bank website.
*Don’t rely on passwords. Many websites will ask you some kind of “Is this a trusted computer?” question when you log in. Say yes, and you get to skip an authentication step. At my bank, it would let me skip those KBA (knowledge-based authentication) questions, like “What was your first pet’s name?” I always say no. I force the bank to use that extra layer every time. It’s another hurdle that just might make a hacker groan and move on to the next potential victim.
While we’re on KBA, think long and hard about the questions you pick. Do you post about your pets on Facebook? Then never use the pet question at a website.
* Beyond the password. Back in 2005,when FFIEC said passwords weren’t good enough, it ordered banks to implement “two-factor” security. In short, that means users were supposed to be required to use something more than a mere password to log in. In theory, it meant banks were going to add hard security measures such as electronic token that generated one-time login information for all users. In practice, it has meant far less than that. Some banks merely added those little goofy pictures meant to stop phishing.
Today, your bank might give you some two-factor options, such as requiring you to respond with a code that’s been texted to your cell phone. That’s known as “out of band” authentication, because even if a hacker has completely hijacked your computer, he or she couldn’t intercept the text login code because it is sent “out of band.” Always take the two-factor option when you can, and better yet, take the out-of-band authentication when you can.
As a quick reminder — the authentication options that are widely available today involve, a) Something a user knows, such as a password b) Something a users has, such as a debit card, and c) Something a user is, such as a fingerprint. Two-factor authentication means two of those three options are employed.
And most of all — don’t panic! And when you hear about a big computer hack, always think about what company stands to profit from news of the hack.