Are you one of the 80% of people that reuse their username and passwords? If so here are security tips you will need to prevent future loss. Passwords are used so often we tend to reuse them. According to Digital Guardian 130 accounts are associated to the average email address. Nearly everyone is doing reuses their username and passwords, according to a survey done by Keeper Security, you are probably are in this group: 87% of respondents 18 - 30 reuse passwords 81% of respondents 31 and up reuse passwords Why does this matter? When using the same username and password for multiple accounts we leave all of our accounts vulnerable. Billions of credentials are stolen each year from hacks on the big and small. Many think nothing of a hack where they did not save their credit cards. But the hacker is only after that username and password you use for every site. Hacking a bank is hard. But hacking a small company with weak security is easy. They are able to get what they want, your repeated credentials, sometimes without every being noticed. With these new credentials they then apply a method called "Credential Stuffing" to get what they really want, the key to your important accounts. Now here is where things get scary. Credential Stuffing The act when a hacker applies their database of stolen credentials and using an automated hacking tool one by one applies each username/password to the site until it cracks. When the username/password works they are alerted they have access and they do what they wish with it. Maybe they will go on a shopping spree, or flight tickets, or get your credit card details for later or commonly identity theft. It's so common that credential stuffing takes up more login attempts than actual logins. Hackers using Credential Stuffing account for the below % login attempts in each industry, as you can see it's more than the real users: 90% online retail stores 60% at airlines 58% Consumer banking 44% Hotels We have established that hacks are common. We often reuse passwords, or at least many people reuse passwords and hackers have motivation and the tools to put these stolen credentials to use. So what can businesses do to protect their employees? What can individuals do to protect their accounts? 3 Security Tips to protect business and personal accounts AFTER a hack 1. Change passwords No one likes this, and in reality it's not very practical. But it's the quickest solution and costs the user nothing extra. And it seems the favorite of so many companies. Quick tips: • Make them complex, 10 digits • Add symbols, letters, numbers, upper and lower case • NEVER use the same password for another site, even if you have 130 • Change them every month. That, to me, seems like a full time job. But it's needed if you want to keep your accounts safe. Overall rating - 3/10 - It's time consuming, complicated, and could take multiple hours a month, if not more, to implement. 2. Use a Password Manager This will make life easier to remember your passwords but they still can be hacked. They will keep your current passwords safe and will up your password game, but take in mind it's still a password game. And they are still vulnerable to phishing attacks, as shown here. And the Password manager itself is protected by a password, what if that is hacked? We are still using old fashioned static passwords. Overall rating - 5/10 - they are pretty good on desktops, but still they need to be updated monthly with new passwords, and it's still time consuming, it's still the password game, which is what we should be working to replace. 3. FIDO U2F Security Keys Security Keys are the wave of the future for online security. Google's entire staff use U2F Security Keys for authentication, it's a trend at many major companies and supported by more sites daily. It's easy to use and they are affordable. How do they work? To use it, you sign in with a username and password, then simply press a button to prove you're a) physically there and b) have the right key. This means that if a hacker gets your information, they can't do anything with it unless they physically obtain the security key you own, too. This makes it a great choice to combat real-time attacks. And they stop credential stuffing attacks instantly. Best of all your application could already be supported. The ever-growing list includes popular services such as SalesForce, Google, Microsoft, Dropbox, Github, Duo, Dashlane, Facebook, RSA, Twitter, IBM and many more. Overall Rating - 9/10 - FIDO U2F Security Keys offer a high level of security and match it with a great convenience factor. Interested in learning more? Wondering what do you do if you lose your security key? Contact us for more in-depth answers to your specific questions at gregory@hypersecu.com. If you want to get your hands on some samples of U2F Security Keys or physical OTP tokens, click here.
