By James Lyne
In the immortal play Henry V, the king uses this famous line to rouse his troops as they attack French fortifications: “Once more unto the breach, dear friends.” It’s a stirring speech inspiring courage in the face of long odds. On today’s digital battlefield, however, we find ourselves on the defensive as hackers continually expose flaws in the security of many of the websites we visit. The aim of these attackers is our personal information, and it’s a simple fact of life that we are all on the front lines.
By now we are no strangers to news of data breaches from popular companies, but the sheer scale of them can still take us by surprise. Case in point: the recent revelation of the theft of hundreds of millions of Yahoo user accounts. The criminals may or may not find any useful information in these specific accounts. But they can lead them (and those who purchase the stolen records) to more valuable assets, particularly if they can gain access to other sites using information gleaned from an email user account. For example, do you by chance use the same password for your email that you use for other websites, particularly banking or shopping accounts? That is one of the simplest mistakes we can make in having our identity stolen, and chances are a fair number of you reading this would answer yes.
Our lives are so convenient now thanks to technology that dozens of different aspects are interconnected in ways we may not even think about. This makes it easy when we can log into Facebook through our Google account, but the flip side is that we need to put more thought into securing our digital lives.
As users we are often powerless to stop these hacks from occurring, but we should be prepared to react immediately when something does go wrong. We have to put some effort into securing our online identity. Here are a few steps you can take in light of the Yahoo breach that will also help you with the next inevitable hack that could affect you.
- Change your Yahoo password immediately. If you haven’t already, do that immediately and then come back to read the rest of this article.
- Reset this password on any other websites where you use it. Cybercriminals are now using tools that sniff out passwords reused on other, more valuable sites to make their work easier and to make the stolen passwords and other hacked data more lucrative on the dark web.
- Make each of your new passwords different, and difficult to guess. Yes, that means you need to create different passwords for every site you visit. It’s worth the inconvenience for the peace of mind you can have.
- Include upper and lower case letters in your passwords, as well as numbers and symbols to make passwords harder to crack. Refer to the Sophos How to Pick a Proper Password video for tips on creating stronger passwords.
- Don’t trust password strength meters—these are unreliable and inaccurate. Stick with best practices, regardless of what the meter says.
- In general, it’s always good practice to update your passwords, password manager and security questions if you hear of a potential data breach that might affect you. Even data breaches from several years ago could still impact you today.
While much of this burden rests on the user, vendors must also do their part to ensure security of their users’ accounts. Sadly, this has been a factor in many recent breaches, with the vendor not placing enough emphasis on securing user accounts. There are many well-understood vectors of attack that can be protected against relatively simply, such as SQL injection, but the vendor must still ensure that protection is integrated into their back-end code. Passwords, for example, should be stored with the assumption that they may be lost. To keep cybercriminals from easily accessing this data even when it is stolen, website administrators should use cryptographic tools to protect data, such as Argon2 or bcrypt, to provide additional protection for their users.
We each live our life on the battlefield of digital information. And while it presents unparalleled opportunity for productivity and recreation, we have to face the reality that there is also danger in the comfortable modern life. Follow the steps above, and the next time you hear about a data breach you can have a simple plan of action in place to keep you from becoming the next casualty in this conflict.
About James Lyne
James Lyne is global head of security research at the security firm Sophos. James, a self-professed ‘massive geek’ has technical expertise spanning a variety of the security domains from forensics to offensive security.