Published on February 23rd, 2023 📆 | 5157 Views ⚑
0Recovering From a Credential Breach, Part 1
A few years ago while on a business trip, I was out to dinner and left my luggage in my rental car (I had not yet checked in to my hotel). When I finished dinner and went back to my rental car, I found it had been broken into and my luggage was gone. My keyring with keys to my house, car and other places was in my luggage. It was a royal hassle having to get locks changed in various locations, and it was distressing knowing someone else had access to such personal aspects of my life and othersâ lives, albeit for a short period of time. I never want to relive that experience.
Â
Breaches of credential information brings a challenge not unlike that of stolen keys. A breach of credentials involves the loss of a password, PIN or other information used to log in to an application. In the hands of a criminal, stolen credentials can be used to conduct transactions in the account holderâs name. Except in limited circumstances, consumers may be responsible for those transactions, and getting them reversed can be time consuming, and possibly costly as well. For example, a few weeks ago the CEO of Securitas discovered that the state had him registered as being bankrupt, and also he was deregistered as the CEO of his company.Â
Â
Â
When credentials have been breached, it is important for affected users to change them as quickly as possible. Specific rules on changing credentials appear later in this post.Â
Â
There is a particularly bad habit that many people, including myself at times, have when creating credentials: they use the same set of credentials for multiple sites. While the advantage of this practice is obvious (fewer sets of credentials to remember), the danger is considerable: if a criminal obtains login credentials for one site, said criminal will attempt to log in to dozens â and perhaps hundreds â of popular sites using the same credentials. And often, they are successful. I once presided over a breach where an intruder logged in to a business userâs account and caused some mischief. The affected user admitted that he (or she) used the very same credentials for several personal accounts as well. Â Company policy forbade that, but many people did it anyway. This is one type of policy that is extremely difficult to verify and enforce.
Â
Whenever creating or updating user credentials, use the following rules:
Â
- Use a complex password that is easy to remember but hard for others to guess. A password that is at least 12 characters long will be strong enough, particularly if it contains lower and upper case letters, numerals and symbols.Â
- When creating a password, think âpass phraseâ instead of âpassword.â For example, the phrase âSurrender Dorothyâ could be made into a password such as 5URRender;D0r0thy. The âSâ is actually the number 5, and the Oâs in Dorothy are zeroes.Â
- Use a different password for each site.
Â
Rule #3 can be pretty challenging, as many of us have lots of user accounts. I recommend you employ a password vault such as Password Safe or KeePass. These handy tools can be used to store passwords, and as a bonus they will copy the user ID and password into the âpaste bufferâ so that you can just hit Ctrl-V when filling in the userid and password.
Â
The best thing about password vaults like Password Safe and KeePass is that they can also easily generate highly complex and randomized passwords which, of course, youâll never need to memorize. Â Generate a password for each site, and youâll be assured of never having to worry about one siteâs stolen credentials from affecting any other sites.
Â
When using a password vault, youâll have to come up with a master password to protect the vault itself. I highly recommend you use a complex password, but one that is not too difficult to memorize or type. You canât keep that password in the vault, because you need that password to reach the vault.Â
Â
I suggest you save a copy of your password vault in a few different locations such as a second computer or removable storage such as a USB drive. There are many different failure scenarios on a laptop/desktop computer (tablets and smartphones too) that can result in the loss of all of the information stored there. Losing your only copy of a password vault would be a big chore.
Â
One last remark about password vaults â there are cloud-based password vaults, such as Last Pass, and the convenience of being able to access your vaults from anywhere on any device can be compelling. However, I have a moderate dislike for cloud-based password tools, and here is why: if a breach compromises your cloud-based password vault, all your credentials will be compromised and youâll have to change them all, very quickly.
Â
Whatever method you use to manage multiple sets of credentials, do so safely, and please donât store them in a plaintext file (or document, or spreadsheet) where a criminal could easily find them and ruin your day.
Â
In part 2 of this blog series, I discuss steps an organization needs to take when user accounts are compromised.
Gloss