The World According to Mitch

I received this email this week:

Let me be clear: these emails are quite important, and you should be paying close attention to them. With that said, this particular exposure was from nearly five years ago. If you have a password that is that old then maybe you deserve to be compromised?

With multifactor authentication we have improved the security of our accounts… somewhat. With that said, it is still important to use complex passwords and to change them on a regular basis. If you are using a password vault then it might be able to help you to automate your password changes. It will certainly allow you to chose long, complex, and unique passwords for every site… and not reuse the same password for every one. No Rick & Munchkin, the name of your cat is never a good password… and when prompted to change it choosing the name of your other cat is worse.

Passwords get compromised. It is often not your fault that someone gets access to a password list. You can mitigate these compromises by:

1. Choosing long and complex passwords. ‘That ‘Complex’ means that you will have at least one upper case letter, one lower case letter, one number, and one special character. How long is long? At least fifteen characters, but longer is better.
2. Do not use dictionary words or common names. You are not fooling anyone by replacing the A with an @, or your I with a 1. This is called ‘leet speak’ and is a term coined by the industrial ancestors of the very people you are trying to prevent from stealing your information.
3. While you are at it… don’t use anything resembling your company name, or anything to do with your hobbies. It will surprise only some of you that the word CIGAR does not appear in any of my passwords in any form.
4. Change your passwords often. If that sounds like a daunting task considering how many passwords you have, then think of what those passwords are protecting. Things like your bank account, your social media accounts, your email, and so much more… everything that the cyber threat actors need to impersonate you, steal your identity, steal your money, and ruin your credit and reputation.
5. Do not share your passwords… with anyone! I cannot believe how many times I have to repeat this and still people think it’s a good idea to share them. DON’T DO IT! Passwords are like underwear: Nobody should see them, change them often, and do not share them!
6. Do not write your passwords down! I have been saying for more than twenty years that the number one threat to cybersecurity was the Post-It Note. This is, of course, an exaggeration… but only a slight one. Do not write your passwords down. Yes, you can use a secured Password Vault to keep them straight. No, I will not recommend one… unless a company whose product I trust decides to sponsor me.
7. So many sites are now allowing you to enable multifactor authentication. This means that they will ask you to enter a code they send to your phone, or use an authenticator app, or any of a number of other options. Yes, it is an extra step. You might even think it is inconvenient. It can also be the difference between a hacker getting into your account… and not.

These are seven easy steps that, if you follow them, can improve your security posture. Please note that I am not saying that they will keep you secure or that you will be immune from hacking… there is so much more to it than that. However, taking these easy steps will make you somewhat safer.

There is a quote that I use when I teach that I have grown fond of: Security should cause healthy friction. Yes, it is more than you once needed to do, and yes, it takes a few more seconds… and requires planning. It might even require you to spend a couple of hours every few months changing passwords (which a good password vault should mitigate). We live in an online world, and statistically you are probably more likely to have your money stolen online than in person.

Our world has changed in my lifetime. Okay, the first email was sent the year before I was born, but I was ten years old when SMTP (Simple Mail Transfer Protocol), and the World Wide Web (WWW) was launched when I was nineteen. When I was in high school I read books about us living a computerized life and they were absolute science fiction.

The world we live in has surpassed many of those fantasies, and there is not one person in the modern world who does not use the Internet in some fashion… and if there is someone like that then they are definitely not reading this article so we can talk about them. The point is, if we are going to do our banking and shopping online… if we are going to socialize and date and fall in love online… then we should have the respect for these systems to take the necessary precautions to keep ourselves safe.

In the early 2010s the US government tried to legislate cybersecurity requirements to companies, but the idea was defeated by a strong business lobby. In response to that, the President signed Executive Order 13636 which ordered the National Institute of Standards and Technology (NIST) to create the Cybersecurity Framework (CSF). The CSF is a voluntary framework that companies can follow to improve the cybersecurity posture of their critical infrastructure. The companies cannot force security upon you… they can only give you the tools to be secure. Most of them do. Use them.