Often, the advise on passwords focus on how to make them difficult to guess. While this is at the core of password-based security, focusing solely on password complexity misses the forest for the trees. While large-scale theft of passwords grab headlines, the fact of the matter is that more often than not, malefactors are going to get hold of your password via a much simpler and more effective method.
You are going to give it to them.
Phishing scams remain popular and effective by taking advantage of a few basic truths about how humans deal with technology:
- We’re overwhelmed by the amount of information we get on a daily basis so we can’t spend time to carefully examine every single message we get.
- Even when we take a critical look at the messages we get, we’re exposed to so much content that it’s hard to distinguish good from bad (i.e. decision fatigue).
- The nature of how stolen passwords are trafficked online often means that enough time passes between falling for a phishing scam and when your stolen account gets used that it’s difficult to ever connect the dots in a meaningful way.
In addition to phishing, passwords can be stolen via keylogging, connecting to the wrong WiFi network, and good old fashioned malware. Then there are even the pitfalls that the most careful of us can fall into. Trusting the wrong program to store your passwords, for example, or letting you set up an awesome password but not enforcing its use.
This is the point where most folks would stick their head in the sand because it does sound completely hopeless.
The thing is, staying safe online is not so much about technical skill as it is about understanding the difference between prevention and mitigation. Living in Southern California, for example, means you live with the risk of experiencing a major earthquake. You can’t prevent the earthquake from happening but that doesn’t mean you should let the fear of an earthquake paralyze you, either. You make sure you have the correct insurance, prep a survival kit, and have a plan. You live secure in the knowledge that while a quake will eventually hit, you have done everything you can to mitigate the damage to you, your property and your family.Why not think of your digital assets in the same way? That is to say:
- Break the problem down into manageable chunks
- Focus on mitigating damage rather than preventing disaster
- Have at least an outline of a plan in mind for how to deal with an important account getting stolen
Now I’m sorry to say that I’m going to have to wrap this up for now but I’ll be back tomorrow (same Bat time, same Bat channel) with some followup tips and advice on this topic. For now, though, I hope that for those among you intimidated by cyber security are left seeing a path towards empowerment that comes not from being a technical wizard but rather through problem solving and good decision making.