Cyber Security: Can a password ever be fully secure?

Charles Smith, Invensys Critical Infrastructure & Security Practice consultant, gives tips on how to create strong passwords.

Is your password really secure? As recent news articles have shown, it probably isn’t. Just over the last few months, LinkedIn, Yahoo, Blizzard Games, and others have been hacked and customer passwords stolen. Last year, Sony’s Playstation Network was hacked and not only were passwords captured, but also other personal customer information.

What can be the impact of having your personal information stolen? Many hacker groups are no longer concerned about capturing passwords and instead thrive on personal information. They use this information to perform a "social engineering" attack on people by impersonating someone from a company the victim does business with. They are usually prepared with some information they have already stolen to convince victims that they are legit, and then they will attempt to gather more information such as a credit card number, social security number, or something like a "secret question answer." This allows them to access private accounts and recover or change passwords. They can use this information to wreak havoc on people’s online lives just as if they had originally stolen someone’s password.

What can you do to protect yourself if a vendor does not adequately protect your personal information? There are three things you can do:

1. Use complex, yet easy-to-remember passwords, as Tom Jackson stated in Issue 8 of the Cyber Advisor (May 2012).
2. Do not link your online accounts together. Sites such as Yahoo now allow you to sign in using your Facebook username and password. While it may be tempting to link accounts to reduce the number of passwords to remember, if one account gets hacked, then all of your accounts can get hacked. If you must link accounts, only link non-secure accounts together. For example, you might link two social media accounts as long as they aren’t linked to your email or an account with credit card information (like eBay or Amazon).
3. Use two-factor authentication. Two-factor authentication is where you use "something you know" and "something you have" to log in to your account. If you work for a large company and have VPN access, then you may already be using two-factor authentication if you have a key fob in addition to your network password.

Yahoo now offers the option of having a code sent via text message to your cell phone to access your account. You use this feature by entering your username and password online, and then Yahoo will send a code to your cell phone that must be entered before you can access your account. In this case, even if a hacker has stolen your password, they cannot access your account unless they have physically stolen your cell phone as well. Two-factor authentication isn’t offered by every online service yet, but it is gaining popularity. Click here for more information on two-factor authentication.

If you follow the three key points above, then your information will be much more

secure in today’s online world.