If you’re concerned about hacking and cyber theft, you’re not alone (and you’re not over-reacting). Our speaker for August First Friday was Jeremie Mailloux, Lead Technician and co-owner of the managed IT service provider itWorks.
Everybody’s been hacked at some point, Jeremie said – including the military, public utilities, and hospitals. It only takes one click to compromise your information. In his hour with us he walked us through the two top defenses: passwords and avoiding “dumb clicks.”
Setting your passwords
We don’t see news reports of security breaches anymore, but it’s not because they’re happening. They happen so often, they’re not news anymore. Jeremie said billions of passwords have been stolen.
The best thing we can do to protect our information is to be smart about passwords. When a company is hacked and passwords are stolen, the hacker takes the login information gleaned and runs it for a username and password match everywhere else because people tend to use the same usernames and passwords on multiple accounts. If you use the same password everywhere, change it.
The magic number for a password is 16 characters. They must be alpha numeric, with upper and lower case, and contain symbols. Eight-character passwords require a super computer to crack – but they can crack them faster than you can remember them. We need longer passwords and they need to be complicated. At 16 characters, Jeremie said there are ten quintillion possibilities, and the passwords are not stored locally (passwords of 15 characters and under are stored locally, exposing them to theft).
Of those 16 characters, 8 are the base password and 8 are specific to each site you sign into. To create the base password, Jeremie suggested thinking of your favorite color, food, band, and your favorite two digit number. Shorten the names of each in a way that makes sense to you, mixing in symbols, numbers, and upper case letters. The example Jeremie gives on his website is for a 9 character base. He used the words brown, olives, and The Beatles, which he expressed as BrO, 01^, and b3@. Keep this as a root and add a 7 digit extension for each site, expressing it similarly with alpha-numerics and symbols.
If you keep a document with your passwords, store only the extensions. You’ve already memorized the base. If you are worried about remembering the base, write it on something that has nothing to do with you – for instance the back of someone else’s business card kept in your wallet.
Password managers have their own security issues. If someone is looking to hack a place with the motherlode of passwords, there is no better target than a password manager. If you do install something to manage passwords, make sure the security company is reputable, and stay away from cloud storage of passwords.
On a local machine, or for a domain, you can have a shorter password because it will shut down after a few login attempts. Jeremie’s personal password is 27 characters long, but your IT people can advise you what makes sense for your machine. Two factor authentication (where a code is texted to you on your phone) has been hacked, but it’s better than nothing and you will get notification if someone is trying to login without the code. He also said there are good biometric tools coming around, but they’re still not infallible.
When you’re ready to change your passwords (if you haven’t already), start with your bank and other financial institutions, then Amazon and any site that has access to your money or credit card information.
Dumb Clicks
We are one click from messing up our day at any given time.
Always make sure you’re using an https site before entering your credit card information. The information is encrypted on an https, and has a security certificate. If the url doesn’t start with https, you are likely at the wrong site. Click on the padlock to verify the certificate.
Do not update anything when prompted by a website. For instance, if you get a message that says “to view this, you need to install an update” close everything, go to the program that needs to be updated, and update from a secure, safe site. We don’t want to give anyone that one click, and error messages are one of the easiest ways to get us to click through to a fake site or inadvertently download an infected file. Every file type can be infected. Be careful what documents you download.
If you get something that you don’t recognize, Jeremie says to shut down and restart your computer. Even the little x in the corner of an alert can be a “yes” button. Set security so your computer alerts you before changes are made. Mouse-over links before clicking and verify that they go where you think they’re going. If you get an alert, go to the site without clicking the link.
Your IT people can protect you from 90% of the attempts, but the other 10% is up to you. Jeremie says to talk to your IT people. They want to have this conversation with you.
“I am hoping you are terrified, and you will make one change when you get home.”
If you need an IT person to help with security, consider the Tech Council’s member directory. And if you need to keep your software up-to-date and do not have an IT person, www.ninite.com is a good place to download web browsers, free anti-virus and other tools like Open Office.