It seems a day doesn’t go by that we don’t hear about another 1.2 bill passwords stolen which sends us all running for the news to see what merchant we interact with or online service we use was effected. Whether the passwords are from any site of importance with real information or just our Twitter and Gmail account passwords is still at least an inconvenience to those effected and a threat to those that interact with them toward real data loss. I say this later part because if someone gets access to your backup email account they may gain no information on you but they can use it to try and scam others out of information about themselves. So what should we really be doing to protect ourselves if this is going to keep happening? I thought I would give you my experience as an end user and business owner on what we have done and how it has affected me personally both positively and negatively. And trust me there is some of both in here.
First I don’t believe that anyone can be 100% safe and secure. Even if you decide to unplug yourself from the rest of the world, unless you plan to never transact in a way with others that might be recorded. No more stores, doctors or other services that use a system to track your interactions and information. So with that said the art, as our friend Charlie Waters will tell you, is deciding on the right balance between security and access. Meaning the more open and available you make something the less, and the less open and available the more secure. For us here at Infinity that is the exercise we seem to go through monthly around our systems and our clients systems we are responsible for. For us internally we decided that we had to go all in with a two factor authentication for as many systems as possible. This meant an entire rethinking of our systems, a large roll out and then end user training and support.
For those of you that don’t know what two factor authentication means it boils down to this, what you know (your username and password) plus something you have (a device or program that generates a onetime random access code). For us we have an application on most of our smart phones that we click when we want to log into our PCs or systems and it generates a code. Since most of us use either a different “password” for our phones or our finger print you could really call this three factor authentication. Now I know you will say; But Rob this really sounds complicated and burdensome. I know you are going to also say, what if you forget your phone or it is lost/stolen; what if you need someone to log in as you to do something while you are out. What I will say is this is a lot easier than I thought when we first started. For me over the past 6 months since we rolled this out companywide I don’t even think about doing it anymore and can you really tell me you forget your phone that often? I see post all over Facebook of people being late for work to go back and get their phone. So I would say this setup has become easy for us and has added a great deal of security to our systems. But another side effect for us is the passwords we use on all of the systems that are enabled with this service do require the passwords to change as often and they could be less complex. Yes that is right you could keep a password in this setup longer, have it be easier to remember and maybe even risk it being seen; as long as you don’t use it as a password on a system that isn’t two factor setup. And while I don’t want to get into the weeds of the IT setup it wasn’t that complex to setup on those systems that support it and maintaining it isn’t hard either. There are even some self-service parts that I can use to avoid having to ask the helpdesk to make a change for me. Now what I will close up this part with is we have our major systems on this but there are several that don’t support it and we have to decide if we are OK with that or need to move to a system that does support it.
Now I know this is great for a business and all but what about my personal life because let’s face it that is where we are all effected more than work right? For me personally I believe the “what and how” of above still applies, you have to decide how secure you want to be and then keep that up at all times. I have been working on this for myself for the past year and I can say I am not close to done. First I decided that I would no longer use a single password for all sites and would not use a list of rotating ones either. I would use very complex passwords that are individual to each site. So to keep me from having to memorize 187 different very complex passwords that may change from time to time I decided to use a service. There are a number out there and even their level of security varies but the basic things you want to look for are an encrypted file or password locker or vault as some may call it. This will allow you to have one very complex password (The more complex the better) to remember which will gain you access to all of the others. If you want to go a step up you can get one that only stores the file on your PC/device but that does cause some limitation if you are mobile or at several devices when you need your passwords. For me I decided to use LastPass which is an online system. What made me comfortable with it was if I had wanted it had a two factor authentication tool I could really protect things with. So after setup I just allowed it to “capture” my log in information as I used it on my devices and websites. I did input some that I knew and wanted to have in there directly. From there I had the service help me reset passwords and make sure that all other password capture services from my PC, iPad, iPhone and other devices was turned off to avoid duplication and the worry about whether their services was secure or not.
So how has this worked out for me? Well not as great as I would have liked but good enough to know that those sites and passwords I’ve updated with the service are safe. The biggest pain is you need to use the program and go into each site or software and let it create a random password that meets the complexity you want/need for each one. With 182 and counting sites/systems I have way too many old and duplicate passwords still. And the service will remind me of that all the time. But it also does a great job of letting me know if any of my email addresses show up on a compromised list or if any of the sites I use are on a compromised list. The biggest pain I see is when something like these large scale breaches happen and I want to go and do a mass password update, there isn’t a way. So my personal security is secure enough only for now. It will always be a work in progress. One thing I could start doing is considering if I really use all 182 of these sites and systems and if not go and cut off the account and remove it from LastPass. That would also help.
I don’t think anyone is ever secure enough but if you are willing to do the right things to begin with and take the time to correct things from your past you can get close enough at least for today. So how are you securing your personal and business identity? Got any better ideas? I would love to talk about them. Just reach out to me.