Articles
Password Vaults and Known Breaches
Does your 16+ character password really matter with MFA and authentication tools becoming a standard?
What are password Vaults?
For any that do not know what a password manager vault is, it is simply a secure place to store all your passwords rather than opening an Excel workbook and keeping that on your desktop. Password vaults are protected with encryption, almost all vaults are utilizing some form similar to the 256-bit advanced encryption standard (AES). The reason that you would want to use a password manager vault is that every password that you make should be complex and unique. A complex password according to Microsoft consists of at least seven characters and includes 3 out of 4: uppercase, lowercase, numbers, and non-alphanumeric characters. However, most people that practice cybersecurity know that this is not very “complex”; it is recommended by many professionals to have 16 or more characters. The reason that you would want to go by these standards is that it will make it much harder for a bad actor to brute-force your password. According to a study by NordPass, a password manager provider, “123456” is still the second most popular password in the United States just behind “guest”. Those passwords will take ten seconds or less to brute force, and if all the passwords across your accounts are the same, then a bad actor has free reign over all of your information across all your sites visited and accounts on them! Learn about the benefits of password managers below.
Why should you use a password vault?
Password manager vaults are completely optional, there is no best or worst version. They all are expected to have the same kinds of encryption similar or equivalent to 256-bit AES. The password manager vaults are typically included in a password manager which would include the vault and some extra quality-of-life features that will depend on the service that you purchase or subscribe to. It would be a good idea to invest in one of the many different managers that are available especially if your work or personal life involves a lot of web surfing. As previously stated all passwords should be different and complex, that way a bad actor will be unable to get access to all your accounts with one password that somehow was able to be compromised. So, assuming that you have 20-30 passwords all unique and complex, it is going to be very difficult to commit all of them to memory. If you have a password manager then all you have to do is create one complex password that you can memorize and from there you can access all of the other systems that you will need in your day-to-day.
Do you need a Complex Password when MFA is Enabled?
Nobody could anticipate how a 2FA system could be deficient, which is why having a complex password is a necessity. Having another layer of authentication is nice but having a strong foundation with a strong password is the best defense against any bad actor compromising your accounts or system. If a strong password and 2FA are enabled together then you have significantly improved your overall authentication security. The only real downside to MFA is convincing the users, that are not as cyber-aware, that it needs to be put in place and used on a day-to-day to ensure the best possible security. There are still some things that a bad actor could do to bypass or perform some kind of malicious activity. One of the many things that could happen is a phishing attack, a bad actor may send a 2FA request that may appear to be legitimate but is just a phishing attempt. Another possibility is that they could perform a man-in-the-middle attack and bypass the 2FA, which is why having a strong complex password remains important!
Known Breaches and Data Leaks, How Serious?
There has been a wide range of data leaks and breaches over the years–some you may be familiar with and some may come as a surprise to you. The CAM4 breach in May 2020 included 10.88 billion affected records. The records that were compromised included password hashes, IP addresses, email addresses, and many more. CAM4’s main operation was to provide live streaming services to creative webcam performances.
A more outstanding breach that may be familiar is the YAHOO data breach. The breach was carried out by a group of hackers in August 2013 and affected records from at least a billion accounts. Instead of reporting the breach that happened, they waited years and it only came to light when the company was negotiating with Verizon for a sale in 2016. Then in October 2017, the company made a statement saying that they thought only one billion accounts had been affected, but it was three billion. This breach consisted of information that an individual would use to establish a YAHOO account–up to and including your security questions.
The last breach that is on my list is a much more severe one that affected fewer people and accounts but had extremely sensitive information. First American Financial data breach.In May of 2019 a breach took place that affected sixteen years’ worth of sensitive records which was close to 885 million records. Data that was leaked included, social security numbers, bank account information, wire transactions, and mortgage information. So, even though the number of affected is not in the billions, nobody would want to be affected by a breach of this magnitude.
Protect Your Information
You must keep your personal information safe and protect yourself against bad actors. Ensuring that you have complex strong passwords for all your accounts across all sites that you visit or create an account on, and enabling 2FA as an extra layer helps to bring the likelihood of an attack on you down significantly. Password managers and vaults will ensure that you do not forget your passwords as you create them and will keep them safely stored and encrypted for your use at any time on any site. Most importantly, by selecting unique passwords for every account, you can rest assured that a compromise of one system will not lead to compromising other systems that share that same password.
For more information and assistance on protecting your data, CONTACT the cybersecurity experts at Vestige today.