Everybody does it. You do it. It’s the easy way out, but it’s also an easy way to a security blunder.
The “it” in this case is using your email address as your user name for websites and other places where a login is necessary. Chances are you use one of a couple email addresses for most things. If I had to guess, you use your personal email address for nearly everything that requires an email address as user name, except for a few where you use your work email address.
But as was clearly evident when the contents of the Collection #1 breach were revealed by security researcher Troy Hunt, your email address is known to cyber thieves everywhere. This means that the only thing standing between you and being hacked is a password, and chances are that you’ve already used your passwords more than once, and that means that you’re ripe for an attack.
How ripe? Hunt, who runs the security website Have I Been Pwned, said that this latest breach contains nearly 773 million unique email addresses and about 21 million clear text passwords. It’s a treasure for hackers and a looming catastrophe for you.
So what to do?
There are two approaches, depending on whether you’re dealing with this as a user of such sites, or whether you’re trying to make sure your organization’s site is reasonably secure.
As a user, go to Hunt’s Pwned website to see if the email addresses you use have turned up in a breach somewhere. The search will show you if your email address has been compromised, and if it was, what information along with that address was taken.
After you’ve checked your email address, click on the Passwords tab on the same site, and enter those passwords you use for everything on the internet. If your password has been compromised and is available to hackers, you’ll be told. In that case, you should find all the sites in which you use that password and change them.
Once you’ve fixed the immediate risks, the next step is finding ways to be more secure with your login information. Two steps you can take are first, to enable two-factor authentication where you can. Second, lie where possible.
By lying, I mean to make up a fictitious email address if you can, or find a way to set up a user name that’s not an email address. In the security questions, make up fictious answers for your mother’s maiden name, or your favorite sport, or whatever is being asked. Just use fictitious answers you’ll remember.
At Least Take a Look at a Password Manager
But let’s say you’re trying to make your organization’s login process is secure, which is a more complicated process. The reason it’s more complicated is because you want to avoid the trap of using an email address as your default user name. Instead, you should either assign a user name or have your users pick one within limits, such as a minimum length and a mix of character types. You should not allow the use of email addresses.
In addition, you’ll need to require passwords with some minimum length, and with some level of complexity that you determine. You should not disallow special characters in a password because doing so makes the password easier to guess and easier to break using a brute force attack.
You should also require periodic renewal of passwords, and you should offer two-factor authentication. While you’re at it, don’t allow the real email addresses of your executives to show up on your website. Instead, use a generic email such as email@example.com.
Check Usernames, Passwords First for Safety
Once you’ve determined a user name and password policy, your next step is to make sure the usernames and passwords are safe to use. Fortunately the Have I Been Pwned website will let you check both items to see if they’ve been revealed in a breach. In addition, APIs are available that will let you automate the check to see if user names or passwords have been found in a previous breach so that you can request a different one.
Finally, just because everyone else on the internet seems to store user names and passwords together in clear text doesn’t mean you need to. So, while you’re setting up your new authentication system, make sure that user names are stored separately from passwords and that both are encrypted with at least AES 256 encryption in a database in segmented parts of your network.
While you’re doing all of this, you also need to plan for the future. The whole user name and password method of authentication is already on its way out, and newer methods are already here, as you’ve probably noticed if you use a modern smartphone.
Your next step is probably some form of biometric recognition, paired with a second factor such as a Bluetooth key or a USB-based token. If you haven’t started down this road yet, then you need to start. It won’t be long before every user name and password has been compromised and your network becomes an open book.