May the Fourth be with you
“12345.
That's the stupidest combination I've ever heard in my life! That's the kinda thing an idiot would have on his luggage.”
Since 1987, Rick Moranis’ Dark Helmet, the lesser evil Darth Vader character in the Star Wars parody Spaceballs, has reminded viewers of the importance of choosing a good password (or luggage lock combination). World Password Day seems like a good day to revisit his bemused indignation in this cult classic.
As investigators that frequently deal with delicate information from clients, personal identifiable information (PII) of subjects, financial data and other sensitive information it’s important that we safeguard that information to the best of our abilities. For that reason we use and recommend the Cybersecurity & Infrastructure Security Agency’s best practices for creating and managing strong passwords.
Use a long passphrase. According to NIST guidance, you should consider using the longest password or passphrase permissible. For example, you can use a passphrase such as a news headline or even the title of the last book you read. Then add in some punctuation and capitalization.
Don’t make passwords easy to guess. Do not include personal information in your password such as your name or pets’ names. This information is often easy to find on social media, making it easier for cybercriminals to hack your accounts.
Avoid using common words in your passwords. Substitute letters with numbers and punctuation marks or symbols. For example, @ can replace the letter “A” and an exclamation point (!) can replace the letters “I” or “L.”
Get creative. Use phonetic replacements, such as “PH” instead of “F”. Or make deliberate, but obvious misspellings, such as “enjin” instead of “engine.”
Keep your passwords on the down-low. Don’t tell anyone your passwords and watch for attackers trying to trick you into revealing your passwords through email or calls. Every time you share or reuse a password, it chips away at your security by opening up more avenues in which it could be misused or stolen.
Unique account, unique password. Having different passwords for various accounts helps prevent cyber criminals from gaining access to these accounts and protect you in the event of a breach. It’s important to mix things up— find easy-to remember ways to customize your standard password for different sites.
Double your login protection. Enable multi-factor authentication (MFA) to ensure that the only person who has access to your account is you. Use it for email, banking, social media, and any other service that requires logging in. If MFA is an option, enable it by using a trusted mobile device, such as your smartphone, an authenticator app, or a secure token—a small physical device that can hook onto your key ring. Read the Multi-Factor Authentication (MFA) How-to-Guide for more information.
Instead of 1) a handful of Post-It notes stuck to your monitor; 2) a small piece of paper hidden under your keyboard, or 3) a spreadsheet on your desktop, just like CISA we recommend the use of a password manager to help keep track of those hundreds of unique, randomly generated passwords that we all end up with. There are free, open-source, locally stored options like KeePass or cloud-based, paid options like Dashlane or LastPass. Make sure to do your due diligence on your required features, use case and level of acceptable risk, remembering that cloud-based password managers will always be a target of cyber attacks due to the potential treasure trove of access they hold, like LastPass disclosed last year.
These data breaches also give both cyber criminals and security/investigation professionals a choice between the dark side and the light. Those that follow the dark side will take email addresses or usernames and passwords identified from one breach and try them across dozens, if not thousands of websites, financial institutions and other platforms to attempt to find matches that allow them to, in my own personal experience as a victim, fraudulently order $400 worth of Taco Bell to a vacant property in rural New Jersey.
If you do end up the victim of a data breach at an online provider but have followed the above guidelines, your Netflix password 3x6$*czQR5aciaLW^FBP3nKR used only for that service can easily be changed and will not place your banking, personal email or other accounts at risk, or order $400 worth of Taco Bell with your DoorDash account. However, if you used 12345 for your bank account, work email, personal email, Amazon account, social media and other accounts then you may have some problems.
On the light side, the data breach reporting site Have I Been Pwned reports that 12345 has been identified 2,591,816 times in data breaches from online services and websites like Adobe, they have reported on. Providers like Have I Been Pwned also have notification services where you can enter your email address and receive alerts if your email address appears in part of a data breach they identify.
By choosing a unique, complex password for each online account, app or other system you interact with and stay informed as to where you may have been compromised, you, too, can stay on the light side and keep you and your information safe.
May the Fourth be with you…