There's a day for everything. We have National Doughnut Day, Star Wars Day, International Talk Like a Pirate Day, and now Data Privacy Day. Most of those are self-explanatory, but what's Data Privacy Day?
According to Wikipedia, "Data Privacy Day (known in Europe as Data Protection Day) is an international holiday that occurs every 28th of January. The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices." Today we are going to discuss one best practice that can benefit everyone's privacy, not just today, but every day.
Let’s talk passwords
We all know about passwords. We have lots of them and they're a pain. They're a pain when we must update them, and a pain when we must create a new one. In security, passwords are something you know which will allow you access to a system such as a computer or a website. Every time we want to access something new, we need to create a new password. It's easy to think "Well, I have a pretty good password that I use for everything, and it has a few capital letters and a number, and no one's going to guess it so I'm good."
Odds are, your password may indeed be hard to guess, but attackers on the internet don't always have to guess. They have automated programs that can do it for them. With computing power being so cheap and easy to obtain, "brute-forcing" or cracking a password gets faster every day. It's even faster when a data breach occurs, and user information is leaked onto the internet for all to see. But there's good news. We can slow attackers down and protect our personal information from prying eyes. Let's talk about one way we can accomplish this.
Be sure not to reuse passwords
When you sign up for just about any new service, it asks for your email address and a password. This is always where I get stuck, having to think of a brand-new password. The easiest thing to do is just reuse that password we made up last year that we use for everything and get moving. Easy, yes, but not good for privacy. Why? Because we tend to use one or two email addresses to login to many websites.
Data breaches do happen, and when they do, you usually hear about them in the news, but the breach might not be known about for several years in some cases, which means user information might be available out in the wild for a long time before anyone knows about it. Tumblr, Yahoo, LinkedIn, and Dropbox, have all had user information stolen, including usernames, email addresses and passwords. When you hear about a data breach, it usually doesn’t take long to login, update your password and secure that account. But, if you happen to use that same email address and same password combination for multiple services, you can have major issues.
If someone knows what email address and password you use for Netflix, they can and will try that same email address and password on several other services like Dropbox or Facebook until they find a match. If they do, your personal information is no longer private. An even worse case occurs if an attacker gains access to your credit card or online banking.
To help stay more secure, its best to use a different password for each service you use. This means if one password is compromised, it cannot be used to login to another service since the passwords would be different for each service. Be sure your passwords differ greatly from one another to ensure maximum security. Great, but I have so many services. HBOgo, Netflix, Facebook, Dropbox, Paypal, Amazon, the list goes on and on. How am I supposed to remember 50 passwords? The good news is, you don’t have to.
What do I do with all these passwords?
Juggling dozens of different passwords can become tedious very quickly. How do I remember which one is for which website? Wait a minute, I can just write them down and stick it under the keyboard. Writing your passwords down is not good if you share an office space, or if you have a nosy roommate. This is where a good password manager comes in handy.
Wait a minute, my web browser does this already.
True. Firefox, Chrome, Safari, even the dreaded Internet Explorer will offer to remember your password for you, so why do you need a password manager?
There are a few issues with having your web browser store your passwords. One, if you happen to share your computer with a friend or family member, it's very easy for them to access your saved passwords from the browser settings. For example, in the settings for Chrome, just go to advanced settings, passwords and forms, and click on manage passwords. You can now view all the saved passwords in plaintext by clicking on the show button.
Another issue, if your smartphone is stolen, which has your passwords stored in the browser, and the screen is unlocked, someone can easily login to your favorite sites or view your passwords similar to the example above. If your web browser auto-fills the password, it takes no time for someone to login and invade your privacy. Using a password manager that stores and encrypts the usernames and passwords, and only grants access to a person with the masterpassword, will protect its contents and an attacker would not be able to see them.
So, what's a password manager?
Quite simply, a password manager is a program that stores all your usernames and passwords for you in a secure encrypted database. It's your own digital safe to keep your credentials in. If you forget a password, it's stored in your password manager just like your web browser would store them, but it stores them more securely than your browser would.
In addition to storing your many passwords, some of the more user-friendly password managers will even auto-fill in your credentials when you visit the site you want to login to, saving you from digging for the correct username and password, same as your browser did before. This isn't the only handy feature available. There's also password update features which can detect password updates and will offer to save the new passwords for you when you login.
So instead of remembering 50 different passwords, you only must remember one master password. When you setup your password manager, you will create one very strong, complex and secure master password to login to the manager. Make your master password long, be sure not to use personal details like your name, family member or pet names or relevant dates that someone could guess, and be sure to include some random numbers and a few symbols.
For maximum security, be sure to logout of your password manager when you're finished, and if the feature is available, which it should be, set it to auto-logout after a few minutes of inactivity. Leaving your password manager logged in indefinitely means anyone who can access your computer or smartphone can get to your passwords. Think of it like leaving the house, always be sure and lock the door when you leave.
This sounds cool, but which password manager do I pick?
There are several options. We don't recommend any one password manager over another since there are many great options available, but we do have a few suggestions that are highly recommended in the tech industry. There's LastPass, DashLane, RoboForm, and LogMeOnce to name a few. All of these feature encrypted cloud-based password storage options, easy-to-use interfaces and auto-fill features for your web browser. They're also available for Windows, macOS, Android and iOS.
Since we are talking about cloud-based password storage and security, one thing we do recommend highly, is using two-factor authentication when available. Two-factor authentication adds an extra layer of security by confirming your login, usually by asking for a passcode from an authenticator app on your smartphone or by answering a text message. This means, if someone happened to know your password, they would also have to have access to your authenticator or text messages to fully authenticate. With security becoming more important, more services are starting to offer two-factor authentication and we recommend using it whenever possible. For free authenticator apps, there are many options available such as Google Authenticator which is free to use on Android and iOS.
So now that we have some options available for storing our collection of passwords, we can rest a bit easier knowing that we have increased our personal security and protected our personal privacy by making sure not to reuse passwords and making sure to store them securely. Not just on Data Privacy Day, but every day.
About Data Privacy Day
Check if you have an account that has been compromised in a data breach
See how strong a password is
Infographic on the world's largest data breaches
Password manager reviews
Terry Laurent is an Encryption Analyst with Tulane Technology Services. Learn more about Information Security at http://www2.tulane.edu/tsweb/security/