Time: “Why You Should Change Your Amazon Password Now”

Entrepreneurship, Media

Part I in a series on personal online security. Parts II and III can be found here and here.

keep-calm-and-change-your-password- 400x467

“Why You Should Change Your Amazon Password Now”

So says the headline of a recent Time magazine article. The word “now” sure makes for provocative news. The article begins, “Hackers said Friday that they leaked data associated with 13,000 accounts on Amazon, XBox Live and other sites.” The writer concludes, “[This] news should underscore how important it is to change your passwords frequently.”

But is this just alarmist rhetoric? Should we really worry about such a small number of victims?

Online retailers say we have nothing to fear. Not only was the number of victims small, the 13,000 were spread out amongst 14 different retailers, not just Amazon. Some might point to the much larger 2014 Home Depot hack as cause for concern (56 million credit card numbers stolen). But the online retailers say the Home Depot crime wasn’t actually a “hack,” per se. In that attack, credit card info was stolen from Home Depot’s self-checkout machines in physical stores, not from the company’s computer database.

In other words, according to the spin doctors, cyber security is sound. They might admit the 2013 hack of Target was large (40 million credit card numbers stolen), or that the Sony hack of 2011 came with high costs for the company. But Sony, Target, Home Depot, and any big company watching the fallout of their hacks, have cried, Never again! They’ve elevated their cyber security. They declare online retailing to be safe–or even safer than–shopping in a physical store.

That’s plain wrong.

In a recent segment of CBS 60 Minutes, cyber security expert Dave DeWalt says “97 percent–literally 97 percent of all companies–are getting breached.”

What a mind-blowing figure. And DeWalt should know. Target has hired his security firm, FireEye, to prevent future breaches. “Even the strongest banks in the world . . . can’t spend enough money or hire enough people to solve this problem,” he says.

Perhaps the real takeaway from the 60 Minutes piece was that “80 percent of security breaches involve weak passwords. One of the most common is: 123456.” In other words, 80 percent of the passwords now in the hands of criminals were absurdly weak to begin with. Or, rather, 80 percent of us are still using passwords the way we did in the 1990s: simplistic, easily remembered (aka, easily guessed by strangers).

DeWalt says, “The days when we our username and password is our son or daughter’s name, or our cat or our dog, is not enough security to thwart today’s hackers.”

So, don’t just “change your passwords now.” Make them stronger.

My next post: Password managers, or Doing Passwords Right

The Heartbleed Bug: How to Keep Your Passwords Safe


lastpass logo

As an entrepreneur, one of your most important tasks is securing your financial information.  In the wake of the Heartbleed Bug, I’ve been fine-tuning my digital security. I’ve especially been fortifying my passwords.  I already use a password manager called LastPass, which I highly recommend.

Though I’ve used LastPass for several years, until Heartbleed, I wasn’t utilizing LastPass to its full potential. The latent Luddite in me was on the fence about fully entrusting my most sensitive accounts to any password manager. But this past couple of weeks has shown me how important it is (and that it truly is safe) to use LastPass for even my bank accounts, PayPal, and other highly sensitive sites.

I’d been using LastPass for dozens of less sensitive sites, while continuing to use easy to remember, “secret” passwords for my bank accounts and Paypal. Not smart. By “easy to remember,” I mean actual words whose significance I believed to be too personal to be deduced by strangers.

How foolish.  Today’s password-cracking software can test out tens or even hundreds of millions of possible passwords per second. Against such brute-force juggernauts, my poor, easy to remember passwords would last mere minutes, if that.

Enter LastPass. LastPass is widely considered the best password manager out there.  You have one master password to log in to the LastPass browser plug-in. Whenever you visit a web service, the plug-in logs you in securely.  As long as your master password is chosen well (i.e., long and complex), LastPass offers excellent security. There’s even a multi-factor authentication feature to make remote hacking virtually impossible.  (Multi-factor authentication is like Google Two-step Authentication, which, if you aren’t using yet, I also highly recommend.)

LastPass generates a different, completely random, character-string password for each of your online logins. Randomness is the key. Randomness actually resists brute-force attacks, unlike actual words. This is how to leverage a single master password while never using the same password for more than one site.

LastPass stores only 256-bit encrypted versions of passwords on its servers. That way, if their servers are ever hacked, the thief would have a monumental task of decrypting just one password, not to mention any others after that one.

Also, LastPass doesn’t store your master password.  Only you know your master password.  That’s how they thwart the potential “inside job” by an unscrupulous Lastpass employee. (Inside jobs are actually the most common form of security breach involving passwords.)

Plus, the LastPass plug-in only decrypts your passwords on your local machine; it never sends an unencrypted password across the Internet. All individual passwords remain encrypted until the moment you use them.

And even then when LastPass decrypts a password to log you in to a site, the password fill-in remains masked (just asterisks), in case a hacker is mirroring your screen. (By the way, your master password is masked when you use it to log into the LastPass plug-in.)