"Door locks keep the good people out. The bad guys will break a window."
For the life of me, I can't remember where I heard that quote, but it's an important one to remember when approaching cyber security problems.Most "preventative" security measures (the kinds of things that make us feel
safe) are not as effective as people think. Many efforts lull users into a false sense of security, which may be the single most dangerous place for them to be.Administrators, technicians, technologically-savvy friends and most IT people often repeat the same password suggestions: A password must be at least ten characters long and include at least one lower-case letter, one upper-case letter, one number and a symbol. How many times have YOU uttered that kind of line to end users?
So, you set complex passwords. And, like installing a good door lock on your house, you go on merrily thinking your data is secure. Far from the Truth
No matter how many times we instruct people to set up different passwords for each website, or how many times we tell people not to write the passwords down, they ignore us. Passwords are only as good as two things:
- The physical security of a machine (more on that in a minute...)
- The way its stored
More than a few (a shamefully high number) websites store unencrypted passwords or use outdated/insecure forms of encryption. It's a pretty big problem. These poor strategies lead to repeated websites hackings and account information leaks (Ashley Madison, anyone?).More often then not, an attacker can access one weak website and discover what all of a user's account passwords are - because so many use the same password on every account. Here's a friendly reminder: ALWAYS USE DIFFERENT PASSWORDS ON WEBSITES. Unprotected Data is Also a Problem
Using the same password can leave you highly vulnerable, but consider this scenario as well: You're keeping a secret diary on your computer. One day your spouse gets curious and attempts to access your diary. They turn on your computer and encounter your login screen. After making multiple password attempts, which include pet's names, childrens' names, important dates and your favorite sport's team mascot, they almost give up.But, then they remember that you don't password protect your external drive. They pull the USB drive you use for backup (yeah, suspend the disbelief for a minute and imagine a home user who DOES back up their data). After reading about your secret plans to run off to El Salvador, your spouse pre-emptively empties the bank account and takes the kids on a first class trip to Europe. As much as this bites for our protagonist, it's a possible outcome.The scarier part: A hacker would not have to gain access to your USB drive. An average computer user with access to Google could figure out how to plug your hard drive into their machine to read its contents.Once an attacker has physical access to the machine, it's the end game, my friend. Passwords (except those used for full disk encryption) are completely useless if an attacker wants data on a machine they've stolen or otherwise have access to.
So, right now, take your diary, media collection or selfies and put them on a disk protected by full-disk encryption, including:
- FileVault on Mac
- Bitlocker on Windows
- LibreCrypt on Linux
- Or other solutions you can find
Otherwise, your passwords are useless if your machine is physically compromised (by the way, this counts for your phone, too). Conclusion
This info is a primer. There are thousands of ways in which passwords are vulnerable. So, stop feeling falsely secure and be careful with everything you do. You never know who's watching, listening or waiting for the right moment.
You might also like...3 Simple Methods Complex PasswordsPasswords are the Weakest Links and What You Can Do About ItThe Real Science Behind Cracking Passwords