In late 2019, Google began warning its users that billions of passwords had been hacked and urged people to begin installing its Password Checkup Extension. In the first month of using this tool, 1.5% of sign-ins were flagged as unsafe. Credentials deemed unsafe are username and password combinations that have been historically compromised through a third-party data breach.
While most people likely change their passwords when notified that their account was part of a breach, many do not change the other accounts they hold with the same username and passwords. According to Google’s Jennifer Pullman, “Hijackers routinely attempt to sign in to sites across the web with every credential exposed by a third-party breach. If you use strong, unique passwords for all your accounts, this risk disappears.”
Although many of us prefer to believe that we are protected and that our IT department, antivirus and malware tools are keeping us safe from all account hacking threats, it is vital that we understand our role in keeping our own accounts safe.
We all have passwords, and likely several of them, but they can be overwhelming to try to recall when needed. In fact, it is almost laughable the number of times many of us have failed the three log-in attempts to a password-protected account only to choose the option to reset the password and be informed that “new password cannot be the same as current password.” How does that even happen?
Our brains are overfilled with information these days, and everything seems to require a password, which just makes the task of remembering the correct password even more challenging. Gone are the days of having family and friends’ phone numbers memorized; instead we just rely on the contacts tool in our phone to keep track of those details for us while we simply look up the person we want to contact by name. Similarly, password management tools will store and recall the password to various accounts by the name of the site and will even allow you to fill or copy the password automatically when visiting the site.
While tools like Google Password Manager are often a good introduction into this world of password centralization, it is generally not the best tool as the security is not as stringent as competing products. In addition to better security measures, many of the competitors also have offline options that allow you to open the app with the master password and view things like passwords, account numbers and other “vaulted” information even without internet access. There are many great options on the market, some paid and some free. Popular programs include Dashlane, KeePassX, 1Password and my personal favorite, LastPass. While all of these are reputable platforms, LastPass gets a lot of praise because the free version meets the needs of many, and it works consistently across multiple operating system platforms.
This techy term simply means that in addition to entering a password, another form of verification is required for successful login. An often-used format is a one-time code or one-time password texted to the cellphone number on file with the account, which must be entered onto the screen within a short time of having successfully entered the password to the account. This can be turned on inside of many different accounts including email, shopping and many other web-based sites. While this may feel like an annoying extra step, it is actually a huge leap in securing your account.
You may be scratching your head and wondering why you would need an extra layer of security if you use a dependable password management tool. Just as there is more than one way to peel a potato, passwords can be compromised using a variety of methods. One of the most prominent approaches is through phishing attempts. These range from incredibly obvious fake accounts to sneaky lookalike accounts that ask you to click on a link to view a document, pay a bill, track a package or similar seemingly harmless tasks. Upon clicking the link, you may be prompted to divulge information or sign in to an account without realizing that you are sending it directly to the “bad guys.” Despite all of the security measures an IT department can implement, these deceitful acts will persist and every day they get more challenging to detect. This is where the power of multi-factor authentication really shines. If I received a phishing email and clicked the link to log in to my “Amazon” account because I believed it was a legitimate email, chances are high that my username and password have now been compromised. However, if I have multi-factor authentication turned on for my Amazon account, the hacker’s power over me has been severely limited, because as soon as they attempt to log in they are required to enter the one-time code that is sent to my cellphone that expires after a brief period of time. The fact that I received a code when I wasn’t trying to sign in alerts me to a potential compromise and allows me to reset my password while keeping my account intact. The same is true with your email account — by including that extra step, your email and contact list remain secure.
The 2017 Verizon Data Breach Investigations Report demonstrated that “90% of incidents and breaches included a phishing element,” which means that most often it is us, the end user, unknowingly handing over the “keys.” While many law firms and reputable websites have preventive efforts in place to reduce account vulnerabilities, remember the wise words of Smokey Bear: “Only you can prevent forest fires.” In this case, “Only you can prevent a phishing expedition.”•
• Deanna Marquez — [email protected] — is a co-owner of the Indianapolis based legal technology company Modern Information Solutions LLC. Areas of service include traditional IT services, software training and litigation support including trial presentation services. Opinions expressed are those of the author.