Well, yet another data breach from yet another business that couldn’t afford top-shelf security, or didn’t understand the need for it. At this point, I think we should probably assume that all our data has been stolen, and it always will be.
We’ve focused for a long time on the idea of “let’s keep our information secure,” and it hasn’t been too long before we started to admit defeat with ideas like, “don’t use the same passwords on every site, so that if one is breaches, the others remain secure.” I think it’s probably time to move to an assumption that nothing can stop our data from being stolen.
That can actually change how you act.
For example, consider making everyone in our life invest in a password manager of some kind – even if, God help us all, that’s a paper journal you buy on Amazon. We really do need distinct passwords for each site, and they need to be phrases like “I-am-Using-Twitter-Right-Now-12345” or something. Forget 8 characters; make ’em long. Doing so makes it significantly harder for bad guys with hash tables to reverse-engineer your password, should they obtain hashes in a breach.
Press everyone to use tap-to-pay whenever possible, and kvetch to local merchants who don’t yet support tap-to-pay. NFC payment systems create a unique, per-transaction code that’s essentially useless anywhere else. If that number gets captured in a breach, it doesn’t matter. More websites need to start accepting Apple/Samsung/Whatever Pay as well, so that we’re not asking them to store permanent credit cards which will eventually be breached.
When asked to create “security questions” for account recovery (“what’s your mother’s maiden name?”), use a distinct, fake answer for each website, and note those in your password management tool or journal. For example, I’ve one website where my “mother’s maiden name” is DarthAvon. But there’s more you can do to protect yourself than making fun of Mom.
Absolutely DO NOT provide a cell phone number to any sites that request one for two-factor authentication. SIM swapping is a real thing, and it’s all too say for someone to gain access to your incoming SMS messages, which then lets them crack your account wide open. It’s actually better to rely on email for password resets, and just protect the hell out of your email account credentials, ideally rotating them monthly. Again, a password management tool makes that easy and painless.
For example, I use 1Password precisely because it integrates so well with my browser and iOS devices. When I’m prompted to log into a website or app, a password fill-in prompt appears at the bottom of my phone screen, just above the virtual keyboard. I tap it, Face ID authenticates me, it fills in my username and password, and copies any one-time authentication code to the clipboard. A quick tap of Paste inserts that code, whereupon my clipboard contents are restored. You can set this up for a loved one; just make sure you print out their emergency recovery kit (a single piece of paper) and lock it in a fire safe or other secure spot in their home.
If you’re thinking something like 1Password will be too hard for an older parent to use, consider this: they are, sadly, going to pass one day. 1Password and an emergency recovery kit lets you or someone else at their accounts so you can pay bills, check balances, close accounts, and more. 1Password’s Watchtower feature also lets you know when specific passwords or account email addresses have been in a public hack, so you can change those ASAP.
Getting back to two-factor authentication: enable it whenever possible, something I love about 1Password’s Watchtower: it tells me when I’m using a site that offers 2FA that I’m not using. It’s a prompt to set up proper 2FA, which 1Password stores for me (instead of using Google Authenticator or Authy or something). That ensures my family can, at need, access my 2FA codes, and my accounts, by using my emergency recovery kit. I also use 1Password’s multi-vault feature: we’ve a Family vault shared between us, I have a separate vault for personal sites, one for work passwords, and so on. Each has different sharing options, and all can be accessed using my emergency recovery kit, which stays safely ensconced in a locked fire safe.
Make it a New Year’s resolution not only get your passwords in order, but to help those in your life do the same. Remove as much personal information from things like security questions as possible. Assume your information will be hacked, because it definitely will, and take steps to mitigate the amount of damage such a hack can do.