The (grim) reality of password security
The (grim) reality of password security

 As people's day-to-day lives and the business world are now so online-centric, the need to improve log-in security is clear. Thefts of unique username-password combinations are prolific, a problem further highlighted with the recent news that Russian hackers stole over 1.2 billion credentials from companies across the world.  

Ensuring foolproof online password security is a constant challenge. The dangers can appear from anywhere at any time, whether through vulnerable code or falling for scams, so guaranteeing password protection is a tricky business. In addition, gathering a collection of username and passwords can be easier than many think, with various scraping programs being sold on the deep-web market to the highest bidders. It is for this reason that organisations must ensure their users are well aware of the possible dangers and the steps they can take to protect themselves.

There are several security precautions that will help individuals and organisations to minimise the risks of their information being stolen, while security researchers look for the solution to the problem.

1.       Using two-factor authentication whenever possible

Two-factor authentication adds another layer of security when logging into a website, be it e-mail, banking, or other websites.  Some websites, such as Google, will text users a code when they login to verify their identity, while others have small devices that users can carry around to generate the code. Authenticator apps are also available on all major smartphone platforms. Other types of two-factor authentication do exist as well, so taking a look in the settings of banking, shopping, and e-mail hosts and speaking with advisors at those companies will also help.

2.       Signing up for log-in notifications

This security layer is often used in place of two-factor authentication, including by websites such as Facebook. If user account is accessed from an unfamiliar location, a notification is sent via e-mail, app, or text-message to the account holder. This is a great layer of security that offers on-the-go protection. This feature, if offered, can usually be found in the security settings of the website, such as banking and social media.

3.       Accessing accounts from secure locations

It might only be 30 seconds of access to the company bank account on that free WiFi at the coffee shop, but if the network has been compromised that is more than enough time to collect all the data needed for a thief. While the convenience factor is there, if users must access the accounts, they might want to look into a VPN (Virtual Private Network) to ensure an encrypted connection to their home or work network is established.

4.       HTTPS access

In most browsers and information heavy websites, there is a way to force an HTTPS connection when available. This connection adds another level of encrypted security when logging in, making it even more difficult for data thieves to gather user information when logging in. To check if one is on an HTTPS connection, users can look for a padlock in the URL bar in the browser or check the URL itself for it to begin with HTTPS.

5.       Avoiding clicking through on e-mails

Many phishing schemes start with something looking very innocent and official, but lead users to websites designed to collect information directly from them, such as passwords and other credentials. If users receive an e-mail from one of the account-holding websites, they should open a new tab and go direct to the website instead of clicking the links provided. It adds only a few seconds to the access process, but keeps them out of any legit-looking phishing websites.

While the threats to online accounts are out there, these tips to staying safe can help individuals and organisations stay protected by utilising features often already freely available with the companies and their websites. The Holy Grail of password protection – a truly watertight way of protecting credentials even if the company or individual is being hacked – is still missing. But following these steps will help deter hackers from attempting to get access to data and ensure online credentials remain safe.

Contributed by Tyler Moffitt, senior threat research analyst, Webroot