Data breaches are inevitable – here’s how to protect yourself anyway
Roman"”>How? The first step is to use a different username and password on each crucial site or service. This can be complicated by sites’ limits on username options – or their dependence on email addresses. Similarly, many sites have requirements on passwords that limit their length or the number or type of characters that they can include. But do your best.
The reason for this is straightforward: When a bunch of usernames and passwords fall into malicious hands, hackers know it’s human nature to repeat usernames and passwords across many sites. So they almost immediately start trying those combinations anywhere they can – like major banks and email services. A chief information security officer we know in the banking industry told us that after the Yahoo breach of a few years ago, banking sites were hit with multiple attempts to log in with credentials stolen from Yahoo.
Use long passwords
There has been a lot of research about what makes a strong password – which has often led to many people using complex passwords like “7hi5!sMyP@s4w0rd.” But more recent research suggests that what matters much more is that passwords are long. That’s what makes them more resistant to an attempt to guess them by trying many different options. Longer passwords don’t have to be harder to remember: They could be easily recalled phrases like “MyFirstCarWasAToyotaCorolla” or “InHighSchoolIWon9Cross-CountryRaces.”
It can be daunting to think about remembering all these different usernames and passwords. Password management software can help – though choose carefully as more than one of them have been breached. It can be even safer – despite conventional wisdom and decades of security advice – to write them down, so long as you trust everyone who has access to your home.
Use a third line of defense
To add another layer of protection – including against troublesome housemates – many sites (Google, for example) let you turn on what’s called multi-factor authentication. This can be an app on your smartphone that generates a numeric code every 30 seconds or so, or a physical item you plug into your computer’s USB port. While they can afford at least some protection, be wary of sites that send you a text with a code; that method is vulnerable to interception.
With these straightforward steps – and the new mindset of thinking like a target who wants to avoid getting hit – you’ll be far less worried when news breaks of the next breach of some company’s enormous data files. Bad guys may get one of your usernames, and maybe even one of your passwords – so you’ll have to change those. But they won’t have all your credentials for all your online accounts. And if you use multi-factor authentication, the bad guys might not even be able to get into the account whose credentials they just stole.
Focus on what’s most important to protect, and use simple – but effective – methods to protect yourself and your information.
W. David Salisbury is Sherman-Standard Register Professor of Cybersecurity Management, Director Center for Cybersecurity & Data Intelligence, University of Dayton. Rusty Baldwin is Distinguished Research Professor of Computer Science; Director of Research, Center for Cybersecurity and Data Intelligence, University of Dayton. This article is published courtesy of The Conversation.
