With holiday shopping season in full swing, gift-givers won't be the only ones scouring the Internet for opportunities. Hackers are constantly probing for weak spots, and a massive influx of people signing up for credit cards or entering their information into shopping sites can make for easier thefts.
Dr. Randy Boyle, co-author of a nationally recognized cyber security textbook and professor of cyber security at Longwood University, offers some basic tips on password security for just those deal seekers so they can enjoy the holidays without having to worry.
"Encrypted" doesn't mean secure
When a hacker gains access to a corporate network, he or she typically steals a copy of the password list—a list of encrypted codes called "hashes" and the corresponding usernames. All that encryption does is slow the hacker down a little.
Encryption works like this: companies typically use one of about four or five different encryption methods to secure their password lists. The encrypted passwords are stored on a server in list form, and matched up when users log onto the site. Hackers steal these lists and then use widely available tools to crack them. Weak passwords, like 123456, don’t slow them down at all—hackers can try billions of possible passwords per second. They use dictionaries containing every word in every language, and have special software that mangles those words into a surprisingly comprehensive array of possible passwords, including those with number combinations at the end. If you use a weak password, they’ll find a match in seconds.
However, if you use a strong password, like "Z[m8lHNK!7kuh," it may slow them down enough that they’ll just give up. They’ll give up because they’ll be forced to guess too many different passwords before they get to yours. So, encryption can securely store passwords if the password is complex enough, but it isn’t a magic cure-all.
Changing your password doesn't make you secure
It helps, but only kind of.
There are certainly plusses to changing your password: for one, it limits the amount of time an account is vulnerable after a breach. But most people don't use very good passwords to begin with, and changing a bad password doesn't make you more secure. Furthermore, users tend to create derivations of existing phrases (think, "SuperPickles1", "SuperPickles2", etc.). Cracking that? Child's play.
Even more worrisome is the fact that few people change their passwords even when they know their accounts are likely compromised. According to a 2014 Pew Research Center study only 39% of people changed their passwords when they became aware of the infamous Heartbleed vulnerability.
Furthermore, keeping several different passwords in your head can be confusing, so people tend to use the same password for many of their various online accounts. If that’s the case, when SuperPickles2014 is hacked, it’s not long before your email, work computer and even bank accounts are at risk. Remember, when a password is stolen, it’s added to the hacker’s database, so all of the sudden SuperPickles2015 doesn’t seem so far out of reach.
Anti-virus software isn't an unbreakable wall
Anti-virus programs match suspicious files or software to known viruses. The problem being they can’t identify new viruses. Hackers are constantly purchasing new malware, much of it custom written and pre-tested to avoid detection by well-known anti-virus scanners.
If you own a business, DON'T HIRE HACKERS!
On the surface, it seems like a no-brainer: can't beat 'em, join 'em. But hiring a known hacker to beef up your cyber security, especially around the holidays when massive amounts of data are being processed by your systems, is playing with fire.
A newly-hired hacker with access to a corporate database can do much more damage than a janitorial staff member with access to the corporate dumpster. While they are "improving" your security, they might also be building in backdoor access to valuable information. If you can’t understand what an employee is doing, you need to have a high level of trust that they’re doing the right thing. Wanting someone to be trustworthy isn’t enough. They need to have a track record of trustworthy behavior. Hackers don’t have this.
Case in point, while working as an informant for the U.S. Secret Service, Albert Gonzalez stole 45.7 customer records from TJX Companies Inc. in 2007, and 130 million records from Heartland Payment Systems in 2009.
So, what to do?
A couple of tips can help the holiday shopper sleep more securely at night.
First, use great passwords. There are plenty of tips around about how to create a password that's hard to crack—the most common is to take a phrase that's unique to you and shorten it, adding in special characters, numbers and capital letters. So "my favorite movie is Titanic" becomes "mif@vrTM0v!T*tanik".
Second, utilize a tiered password system. For your most precious information, like online banking, use one particularly great password. For other shopping accounts, use another password. For other accounts, use a different one. That way, if one password is hacked, all of your sensitive information will still be secure.