Good practices, better security

Many people sidestep online security measures that are extremely effective and, in most cases, completely free. All it requires is some time and understanding to implement the simple practices we recommend below.

Use multifactor authentication (MFA) for email

You probably already use MFA for access to banking and investments. MFA requires you to enter a code during the login process, sent either by text message or generated using an authenticator application. Taking this precaution with financial accounts makes good sense… but are you using the same steps to protect your email?

Most password resets support email for verification, so if the bad guys have access to your inbox, they can potentially reset the password to any account tied to that mailbox. If your email is tied to a private domain, you should also enforce MFA for access to your domain registrar. If bad guys can gain control over your domain, it’s easy for them to direct your email to their own servers where they can send messages from your email address without needing your password. Good security requires you to protect both your email and domain, as they are keys to accessing other important accounts that you own.

Use a password manager

Password managers, such as 1Password or Lastpass, make it far easier for you to keep your accounts secure. The password manager stores your account details, which means that you are free to use unique and complex passwords for every account. This greatly improves security because if one account is breached, bad guys cannot use the same credentials to access other accounts that you own.

The usefulness of a password manager doesn’t stop there, however. The less information the bad guys can infer about you, the better, so we encourage you to make it as hard as possible for bad guys by taking these additional measures:

  • Use the password manager to generate passwords of the maximum allowable length. Password length is more important than complexity.
  • Use a unique username whenever possible.
  • Use the password manager to store answers to security questions which are used for password resets. Also, don’t answer these questions truthfully. These simple questions (your mother’s maiden name, where you went to school, etc.) are details that a hacker could learn about you and use to force a password reset.

Be wary of email

Bad guys can create very convincing malicious emails containing links that, at first glance, appear to be completely legitimate. Hackers use these links to direct you to malicious websites that mimic your expected destination. Their goal is to get you to log into what appears to be your actual account… but what is in fact a website designed to harvest your account details.

Even the most eagle-eyed and technically savvy user can be fooled. For example, can you tell the difference between “yourbank.com” and “yourbаnk.com”? If you think those two URLs are the same, you’re incorrect. The first example uses a normal Unicode Latin “a” (U+0061 hex), while the second uses the Cyrillic “а” (U+0430 hex). Both characters look identical, but they are distinctly different characters to your computer. If you entered both addresses in a web browser, they would both be valid and take you to two completely different destinations.

This is yet another great reason to use a password manager. If you always enter account details from memory, you are far more likely to accidentally enter your password on a malicious website. Password managers, on the other hand, cannot be fooled by lookalike characters or other subtle tricks. From the application’s perspective, you’re either on a website that it has credentials for or you aren’t. If you try to use the password manager to fill in your account details on a masterfully created lookalike, it simply will not work… and the fact that your password manager suddenly does not have stored credentials for what appears to be a legitimate website should be a huge red flag.

Free online tools you can use

KnowBe4 is an online security training company that offers free tools and phishing simulations that could be useful for you, your family, or your coworkers. Check out https://www.knowbe4.com/free-it-security-tools for more information.

“Have I been pwned?” (https://haveibeenpwned.com/) is another great resource to check whether your phone number or email address has been associated with a data breach. If you have been associated with a breach (and the vast majority of us have), don’t be alarmed. Make sure you have reset your password on any breached account and, if you have used that account password elsewhere, make sure those account passwords have been changed as well.

If you have any questions, please let us know we can help!

 The Complete IT Team