Taking note of the recent alleged Spotify hack and associated compromised Spotify accounts, I checked out the customer data that the fraudsters had posted to Pastebin. The dump included usernames/email addresses and passwords. What was evident at a glance was that many of the passwords were exceedingly weak: dictionary words, dates, the cat’s name, numbers in sequence—all the things that make a bad password.
These Spotify customers are now wide open to having not just their Spotify accounts hacked, but also their bank accounts, PayPal accounts, Facebook pages, Gmail accounts and any other websites where they used similar login credentials. As this darkly humorous cartoon illustrates, reusing weak passwords across different websites is a recipe for disaster.
If you reuse passwords and you’re a victim of a password leak at any point (and they happen every day), hackers then have a username/password combo that they can try on other websites. So a leak on one site can leave you vulnerable across the board. If someone gains access to your email account, for example, they can use password-reset links to get new passwords for your bank account or PayPal account, lock you out and have a field day.
The best way to minimize the collateral damage from password leaks is to use long, unpredictable, unique passwords on every website you access. But with so many accounts to keep track of, how is that possible? Writing passwords on sticky notes stuffed in your laptop case isn’t a very elegant or secure approach.
The solution is simple: get a password manager. These affordable (or free) and easy-to-use programs work across all your devices. They generate secure, random passwords and then keep track of them for you automatically. They can also keep track of credit card information, store software license data, help you organize secure notes and so on.
When you log into a website with your password manager, all you have to remember is the master password that unlocks the password manager. Once you’re logged into your password manager, it auto-fills the appropriate login data for whatever websites you visit.
Why not just use the auto-login features that are integrated into popular web browsers like Internet Explorer, Safari, and Chrome? They’re better than nothing, but they’re not very secure. They’re stored on your computer and, in many cases, can be accessed easily by anyone who can unlock your computer. For example, if you use Chrome you can view your saved passwords just by navigating to chrome://settings/passwords.
A dedicated password manager encrypts your passwords, helps you generate crazy-strong, random passwords, and is easy to synchronize across all your computers and devices. The software can even flag your weak and duplicate passwords, making it easy to change them.
The choice of applications, features and price points for both individuals and businesses is huge. There’s no time like now to implement this critical security control.
To talk about how a company-wide password management solution can reduce your InfoSec risk, and how it can integrate with other key security controls, contact Pivot Point Security.