Hardly a week goes by without a new headline to spotlight the latest hack. In the case of the Yahoo password hack, the news was quite old since the data was stolen in 2014. Yet the team at Yahoo took two years to disclose the hack. In the meantime over 500 million Yahoo users were vulnerable. I don’t think it’s hard to imagine that other companies are taking a similar approach. Perhaps there are sites that don’t even disclose hacks to protect themselves from public embarrassment. There are many lessons to be learned from the Yahoo hack. The first is not to rely on others to secure your identity online.
How can you protect your identity and personal information online? In the case of the latest Yahoo hack, the attackers made away with a treasure trove of information. Yahoo users had their names, email addresses, telephone numbers, and birth dates stolen. The hack even exposed security questions and the answers. That’s terrible in and of itself. The larger issue comes from people’s reuse of passwords and security questions across websites. This can leave you exposed to attack without any warning. The site in question doesn’t have to be a target of the hack. You simply use the same credentials on both sites. You may have thought that was alright in the past but it definitely isn’t safe anymore. It hasn’t been for quite some time now.
Lesson One – Do Not Reuse Passwords
The first lesson from the Yahoo hack is not to use the same password or security questions across multiple sites. I understand that is easier said than done. We all have enough information to remember. A different password for each website can be quite a challenge. In response, most people seem to understand the need but still reuse passphrases. We look forward to password alternatives that are sure to come in the future. In the meantime I suggest using a password manager to keep track of all your accounts.
Lesson Two – Do Not Reuse Security Questions
When it comes to security questions, it can be difficult not to reuse them since websites often provide a list of common questions. This is an area of concern for many security conscious users. There are a few ways to minimize your risk. The first option is not to use the security questions when given the option. You can also use two-factor authentication or another verification method like text or phone.
Lesson Three – Create and Use Strong Passwords
It’s one thing to tell someone to use strong passwords but it’s another thing altogether to practice what you preach. The definition of a strong password can vary between websites. At a minimum we recommend you create a password with 8 or more characters. Character 9-12 will provide exponentially better security. Make sure to include upper and lower case letters, numbers, and at least one special character. Do not use words or phrases from a dictionary and stay away from easy to guess information like important dates. You can use a passwords generator to create more secure options.
What about websites that don’t allow you to vary the characters used in your password? You will still run across websites that don’t allow you to use special characters. Te first thing we recommend is taking a step back and considering how important the site is to you. If you can do without it then seek more secure alternatives. In time I think you’ll see more companies improve their password requirements. In the meantime it’s up to you.
Lesson Four – Use Two-Factor Authentication
When it comes to security, the more authentication factors the better. Whenever possible we recommend using two-factor authentication to add another layer of security protection. Some sites will use security questions as a second factor. You will find that many financial institutions and even popular sites like Google offer even better two-factor authentication. Some companies like Paypal and ETrade will send you a hardware token. Others will use something like the Google Authenticator app. Either way you will enter the code sent to the token or your phone to log in. This keeps potential hackers from accessing your account. They would need both your password and the one-time code sent to your device at time of login.
Lesson Five – Encrypt your Data
Did you know that entering your username and password while on a public WiFi network can leave you exposed? An attacker can capture your personal data including passwords if you fail to encrypt your data. The solution is to use a VPN anytime you connect to an unsecured network. This could include the coffee shop around the corner, airport, or hotel. Anytime you’re not sure we recommend connecting to a VPN server before you do anything of importance online. Don’t let the word “VPN” scare you. Many people thing of corporate VPNs. This is different. Personal VPN services like IPVanish are very easy to use. They have simple to use apps for desktop and mobile. All you have to do is click a button and connect to a VPN server. From there you can browse the web and open apps as normal, knowing that you’re communications are encrypted.