Posted August 10, 2022 by Jennifer G
Protecting yourself and your business online involves several areas, one of which is passwords. As the number of online accounts that we deal with grows, so do the number of passwords we need to have and remember. Follow these best practices to safeguard this information.
It is vitally important to never re-use passwords. I think we are all guilty of re-using passwords from time to time and for some of us, the same one all the time! But the reality is that sites and services are constantly being attacked and breeches are not uncommon. Which means it is vitally important to never re-use passwords – especially for e-mail accounts.
What’s the harm in re-using a password? Let’s say I signed up for a photo sharing site with my personal e-mail (firstname.lastname@example.org) and I used the same password that I use to access my Gmail. A few months later, the photo site experiences a cyber-attack, and my username and password are exposed. The first thing a bad actor will do with my username and password is try logging into my email. Since I used the same username and password, they now have easy access to my email and can see that I use this email for my bank, my credit card, Netflix, Dropbox, etc. If I also used the same credentials for those accounts, I have a real problem on my hands!
When businesses are attacked user information is often taken. Names, e-mails, passwords, addresses, phone numbers, etc. may be posted or sold on the ‘dark web’ for scammers to use. An e-mail disguised as a company you regularly do business with, may mention you by name, may even contain past e-mail content… “Hey, I’ve shared a document with you, you just need to log into Microsoft or Google to view it!” or “Hey click the attachment to see our latest newsletter!”. When email servers are hit, bad emails can come from a legitimate domain and not even need spoofing!
Another common reason for compromised accounts is users being tricked into GIVING their credentials to bad actors. If you’ve used your e-mail address for anything, fact is, it is out there in the world and bad actors are going to send you deceitful e-mails to either plant malware on your computer that can steal your credentials or trick you into handing it over to them directly. Depending on where your email is listed, bad actors may be able to figure out your employer, your co-workers, even industry partners or associates and you can be target phished. This is even more convincing than an e-mail imitating a legit entity like UPS, Microsoft, PayPal, Google, etc., as they can try to disguise the e-mail as coming from your dental practice, dental systems, co-workers, or even a partner business. Some of these fraudulent emails can be very clever so it is important to always have your guard up.
Always be on guard. Look for bad grammar, misspelled words, or other signs. An example is an e-mail that looks like it’s from Microsoft but the actual address it’s coming from is odd – ie. microsoftwebservices.com. HTML file attachments, an unexpected file share or file attachment, even from someone you know, can clue you to suspicious activity. Hover over hidden hyperlinks and if the website does not match the sender or if a link brings you to a login page not the URL in your browser, chances are it is a phishing e-mail.
Password Best Practice Tips
- Strong. Make passwords no less than 20 characters AND do not use common words (hackers have sophisticated tools that can break passwords that use common words or word combinations).
- Unique. Make every password unique so that if one account gets hacked you are not handing over the keys to your other accounts.
- Management. Consider using a password management tool like LastPass, Bitwarden, 1Password, to name a few.
If you suspect an account has been compromised, it’s best to change the password immediately, monitor all accounts for any irregular activities, and stay alert to legitimate and counterfeit emails.