A data breach at MyHeritage is a reminder to use strong passwords. Follow these tips.
Most people know they're supposed to create strong, unique passwords for every account, but not everyone does it.
The recently disclosed data breach at MyHeritage, a genealogy and DNA-testing site, should serve as a powerful reminder.
The company confirmed Monday the theft of 92.3 million of its users' email addresses and hashed passwords, amounting to the company's entire user population as of Oct. 26, 2017—the day the company's systems were breached.
The company confirmed Monday the theft of 92.3 million of its users' email addresses and hashed passwords, amounting to the company's entire user population as of Oct. 26, 2017—the day the company's systems were breached.
[post_ads]The company stores hashed—or
scrambled—versions of the passwords that can only be read with unique
keys, meaning the stolen passwords should be useless to the
cyberthieves. But MyHeritage says in a blog post that "for maximum
safety" all of its users should change their passwords.
And while they're at it, users should also change the passwords on any other account where they were using that same password.
Even if you've never had an account at MyHeritage, you can take this
opportunity to improve your passwords, which are the first line of
defense against cybercriminals.
Here's how you can create hard-to-crack passwords and keep your online accounts safer.
Go Long and Complicated
While “Password123” may be
easy to remember, it’s a disaster when it comes to security. Hackers
like to go for the low-hanging fruit and try the obvious options first.
Ideally, a password should be composed of a long string (think at
least a dozen characters) of seemingly random upper- and lower-case
letters, numbers, and symbols. One of the best and easiest things to do
is to create a long password out of an easy-to-remember phrase, then
throw in some special characters.
For example: “Th3Qu1ckBr0wnF0xJump$0verTh3LazyD0g”—though it would be better to use a phrase that you make up yourself.
Don't include your name, birthday, or references to other personal details (yes, that means your kids’ personal details, too). Hackers routinely troll Facebook and Twitter for clues to passwords like those.
This same logic applies to smart home devices such as webcams, TVs, toys and even some high-end refrigerators. Many come with default passwords that should be changed the moment you take the product out of the box. There’s no easier password to hack than one you can find in a manual or online.
And don’t forget about your router.
According to research done by Symantec, one of the world's largest
cybersecurity companies, 37 percent of people haven’t changed their
router’s default password.
This same logic applies to smart home devices such as webcams, TVs, toys and even some high-end refrigerators. Many come with default passwords that should be changed the moment you take the product out of the box. There’s no easier password to hack than one you can find in a manual or online.
[post_ads_2]
Don't Recycle
Even a tech minimalist has
countless passwords these days for everything from bank accounts to
Pinterest. That’s a lot to remember, but don’t follow the temptation to
use the same password for multiple accounts or to recycle an old
favorite.
More than 1 billion passwords were stolen from Yahoo
in a handful of breaches over the past several years. You wouldn’t want
that same password to be tied to your credit and bank accounts as well.
Hackers routinely test passwords stolen in mega breaches on financial
accounts.
If the thought of remembering so many complicated passwords is intimidating, think about using a password manager. Some are free; others cost a few dollars a month.
Services like these generate, retrieve, and provide top-of-the-line
passwords for each of your accounts, using super strong encryption to
protect them. They’ll also make sure the site you think belongs to your
bank actually does, before you hand over your credentials. All you have
to do is remember the one password you create for that service.
Fair warning, password manager companies have been hacked in the
past, but that doesn't mean user passwords were actually acquired by the
bad guys. Overall, many cybersecurity experts say they’re the lesser of
many evils.
Always Use Multifactor
Multifactor authentication—which
asks users to enter a second form of identification, such as a code
texted to a smartphone or a biometric identifier, such as a
thumbprint—has become a must.
And the word is getting out. Consumer Reports found that 62 percent
of Americans use multifactor authentication for online accounts in a
nationally representative survey of 1,012 adults conducted in 2016.
What multifactor authentication does is make it a lot harder for
hackers to access your account, even if they have the password. Its use
is standard practice in business, and services including Google,
Facebook, and online banking sites offer it as an option, but you often
have to turn it on. Yes, this will slow you down a bit, but frequently,
it’s enough to make hackers look for another target.
In the case of the MyHeritage, the company says that its user
accounts don't currently have have multifactor authentication. But, it
says, plans to add that capability were previously in the works and are
being sped up in light of the breach.
[post_ads_2]
Embrace Change
Did you just toss your toothbrush? Maybe it’s time to change your passwords, too.
The longer a password hangs around, the more likely that it’s been
stolen or deciphered by a hacker. And, if a company announces that it’s
been hacked and credentials have been stolen, change your password right
away, even if it appears your account wasn’t affected. It often takes
time for those investigating a hack to determine exactly how bad the
fallout is, and breaches are often worse than they first appear.
On a related note, it’s also wise to periodically clean out your digital closets,
just like the physical ones in your home. Have an AOL email address you
don’t use anymore? A Myspace account? Close them out so you don’t have
to worry about them getting hacked.
Don't Be Too Social
Be careful what you share and who you share it with.
[post_ads]This lesson was driven home by the revelation that about 87 million Facebook users had their profile information and "likes" harvested—without permission—by researchers using a third-party quiz app.
If you’re going to post personal details about yourself (or your family), make sure your accounts are locked down and change your privacy settings to restrict your posts to real-life “friends.” Consumer Reports shared tips for protecting your kids’ personal information
in a previous story, but here's the short version: The entire world
doesn’t need to know where they go to school and when they celebrate
their birthdays.
And keep in mind that even if you think you have your account locked
down, nothing shared on social media is ever truly private. So, think
before you trade your privacy to play a Facebook game or take part in a
what looks like a harmless quiz.
Bree Fowler
I
write about all things "cyber" and your right to privacy. Before
joining Consumer Reports, I spent 16 years reporting for The Associated
Press. What I enjoy: cooking and learning to code with my kids. I've
lived in the Bronx for more than a decade, but as a proud Michigan
native, I will always be a die-hard Detroit Tigers fan no matter how
much my family and I get harassed at Yankee Stadium. Follow me on Twitter (@BreeJFowler).See more at: Consumer Reports
