Password Security - More Important Than Ever...
In December 2015, I wrote a blog post describing my use of 1Password, an excellent password manager app for both mobile and desktop use. If you are unfamiliar with password managers and how they work, you may want to take a quick look at that earlier post before reading further.
In the three years that have passed since writing that blog, the importance of password security has grown exponentially in the battle against those nefarious sorts on the internet who are looking to steal your personal data. Fortunately, during this three year same period, 1Password has been continually updated and upgraded to make the process of managing your passwords and other sensitive information much easier and, may I say, even enjoyable.
There are other popular password manager apps out there, such as LastPass, DashLane, etc., but 1Password was my early choice and I’ve never felt a need to explore the others because 1Password works so well for me. If you are not yet using a password manager, I strongly encourage you to “get with the program” and decrease the chances of being the next victim of identity theft. While not all identity theft is the result of weak password protection, strong passwords can take you a good distance along the path to protecting yourself from financial fraud resulting from identity theft.
In November 2017, I went to Nashville, Tennessee to attend a conference for Chief Financial Officers of performing arts organizations. One of the guest speakers was an FBI agent who works in the division tasked with combatting cyber crime. His number one piece of advice was to avoid using weak or repetitive passwords. I don’t recall his exact statistic, but he basically said that hacked passwords were overwhelmingly responsible for most of the identity theft and financial fraud occurring today. So, take it from the FBI guy who daily sees the damage caused by unmanaged passwords.
If you think it won’t happen to you, think again. Shortly after I returned home to Nova Scotia from that conference, I contacted the Social Security Administration to begin my social security benefits effective January 1, 2018, the first day of my formal retirement from work. Imagine my shock when I heard this reply: “Mr. May, your retirement benefits request is already in process and we are trying to arrange for payments to be made retroactive to June 2017, as you requested.” I promptly informed them that I had made no such request. They quickly moved to freeze online access to my account until I could visit a Social Security office in person. Fortunately, I was already planning a trip across the border to Buffalo, New York for the holidays.
When I showed up at the Social Security office in Buffalo that December, they indeed confirmed that I had been the victim of attempted Social Security identity fraud and that the perpetrators had gone so far as to set up a direct deposit arrangement with a bank in Santa Monica, California. A close call indeed. While SSA was unable to disclose the source of the fraud, I have a strong suspicion that it was a result of the massive Experian Data Breach in October 2015. I had received notice from Experian that I was among the 15 million T-Mobile customers whose personal data (including social security numbers) had been compromised.
1Password was already in place when this occurred, but in this case, the software was not in a position to prevent this breach, as it pertained to the theft of information already in the hands of Experian because of a T-Mobile phone service application I made years earlier. However, this incident, combined with the FBI agent’s recent advice, reaffirmed that doing my part by carefully controlling my own passwords is Job #1 in the fight against the bad guys looking to steal sensitive data.
If you are already using a password manager like 1Password, congratulations on taking this important step in your digital life. If not, I'm guessing that you probably employ one or more of the methods and strategies listed below:
You have a written list of usernames and passwords, but keeping it accurate and up to date is a pain and, of course, the list is probably in plain sight. That means that the list is likely to be readily available to a thief who breaks into your home and decides to take the list with him, along with your computer and any mobile devices.
A word of caution about this strategy - in 2011, our house was burglarized and we had a credit card stolen off my desk - which was the first indication of the break-in when the bank called me while we were traveling for the Thanksgiving holiday. Fortunately, I didn’t have a list of passwords in view as well, or our computers might have left the scene too.
Or, instead of a handwritten list, you keep all your usernames and passwords in a Word or Excel document, or similar digital file. This approach makes it even easier for the burglar who steals your computer or the hacker that gains access to your computer remotely.
And, because passwords are difficult to remember, you end up using short passwords, and even worse, you reuse the same password over and over. Hackers who breach websites welcome this behavior, because it allows them to gain access to your accounts on other websites as well, maximizing the value of an individual data breach.
Or, you tweak an existing password just a bit to make a new password on a different site and then struggle to remember which variation of this password you have used on a which site.
If any of the above strategies sound familiar, you are a prime candidate for 1Password. In my view, investing in a password manager like 1Password should be seen as part of the price of admission of owning a desktop computer or mobile device. A password manager app should be seen as being just as vital as the power cord for your device. It is that fundamental to safe computing in today’s environment.
1Password, when fully installed on your all your devices, will allow you to abandon the above strategies and begin to use strong passwords which you don’t have to remember at all. It’s called 1Password because its master password is the “one password” you’ll have to remember. 1Password’s vault data (containing usernames, passwords, credit card info, identity info like name, address, phone number, email address, etc) will be directly available to you and automatically entered into any browser, as well as be available in many app login screens. 1Password can be TouchID and FaceID enabled, which makes gaining access to your sites even quicker (and safer).
In a later post, I will describe in more detail how I use 1Password. Stay tuned.