Why you should care
Because make no mistake: They’re watching you.
The author is a cofounder of Shape Security, a Silicon-Valley web security company.
We still don’t know who pulled off the Yahoo email breach, one of the worst hacks in history. But given the sheer number of affected accounts — 500 million — it’s quite probable that they know you. Whether your password or mother’s maiden name, hackers know crucial parts of the identity you established at Yahoo.
With cybercrime and massive breaches escalating, how can an innocent internet user like you stay safe? It’s simpler and cheaper than you probably think. Indeed, the silver lining here is that a few easy, low-tech steps will provide reasonably robust protection. Below, some common security misconceptions, as well as straightforward advice.
1. I’m not important or rich enough to be a target.
Myth! Today’s automated tools let criminals cast very wide nets; they aim to steal small amounts of money from large numbers of consumers. If you’re one of the 500 million people whose Yahoo! accounts were breached, you are now being actively targeted. Maybe you used the same password on Yahoo! as you did on your favorite retail website, and maybe you have a gift card stored on that site. That’s the sort of thing criminals are after. So don’t think that being an ordinary citizen means you’re safe.
2. Complex passwords are good passwords.
Not necessarily. We’re all exhausted by baroque password demands: uppercase, lowercase, special characters, no special characters, numbers, sigh. What’s next, emoji? ? Take solace: The notion that strange-looking passwords are secure is a myth.
In fact, the primary driver of password strength is length. Length = strength. So go ahead and use an easy-to-remember password, as long as it is longer than 20 characters. For example, “ProudMomCharlestonHigh” or “AddictedToSparklingWater” or even “SizeMattersForPasswords.”
Yes, some folks argue that any easy-to-remember password is fundamentally vulnerable. Perhaps, but a password you can’t remember is fundamentally useless. If you want to be extra careful and foil even the most advanced password-cracking schemes, go ahead and modify it very slightly so it isn’t all English words, such as “SizeMatters4Passwordsss.” Regardless, a sufficiently long password generally provides adequate protection against most brute force attacks. On top of that, if your account supports two-factor authentication, enable it. It provides another significant layer of protection.
The current fashion in in tech-savvy circles is password managers. These applications maintain long, complex passwords for all the services you use. Password managers have virtues, and using them is far better than using a single password. But they’re also vulnerable to their own types of security breaches.
3. Using one strong password everywhere is a good idea.
False! A thousand times false! Reusing a password is akin to using a single key to unlock every door in your life: your car, your house, your office, your gym locker. Better yet, think of reusing a password like you’d think of reusing a rusty razor: disgusting and dangerous.
In fact, the No. 1 thing you can do to secure yourself online is use a unique password on every major website on which you have an account. We can hear you groaning already, and with good reason: Most Americans have upward of 40 online accounts, so they need 40 unique passwords. But it’s not as painful as it might sound: It’s fine if those 40 passwords are similar, with a shared “base” but a different “hook.” For instance, “ProudMomCharlestonHighABDC” for Facebook and “ProudMomCharlestonHigh1234” for Twitter creates unique passwords that are still easy to use and remember.
More good news: You don’t need to crowd your brain with all these password versions. Go ahead and record the “hooks” on a sheet of paper or in a computer file (e.g., Facebook: ABDC, Twitter: 1234). Your little list of websites and their numbers doesn’t represent a security risk by itself. And, if you can endure some additional cognitive burden, write down mnemonic reminders to the hooks rather than the hooks themselves.
The truth? You are a target. But these tips will radically improve your security online — and they’re a lot simpler than changing your mother’s maiden name.