Beyond the Password: 3 Essential Tips for Protecting Your Digital Identity

Show Notes

Show Notes for Episode: Fortify Your Digital Life: Advanced Password Security Tips and Tools 🎧🔒

Welcome to another enlightening episode of the Bee Cyber Fit podcast!

In this episode, we delve deep into the world of password security to help you master the art of safeguarding your online identity. Join hosts Wendy Battles and James Tucciarone from Yale University's Information Security Policy and Awareness Team as they guide you through the maze of cybersecurity risks and share practical tips and essential tools. 🌐🔐

Key Points and Takeaways:

1. Secure Your Identity with Strong Passwords 🛡️
   ▶️ Discover the significance of using strong, unique passwords and why it's crucial to avoid password reuse.
   ▶️ Learn about the massive leak of 10 billion passwords on the dark web and its implications for individuals and organizations.

2. Leverage the Power of Password Managers 🔑
   ▶️ Explore the benefits of using a password manager to securely generate and store complex passwords securely.
   ▶️ Find out how password managers can help identify fake login screens and enhance your overall security.

3. Embrace Multi-Factor Authentication (MFA) 🧩
   ▶️ Learn how MFA works and why it’s a game-changer in protecting your online accounts.
   ▶️ Understand the importance of enabling MFA on all your personal accounts to add an extra layer of security.
   
4. Combat Password Spraying Attacks 💥
   ▶️ Get insights into password spraying attacks and how cybercriminals exploit reused passwords.
   ▶️ Equip yourself with tips to defend against these attacks, including creating strong passwords and being vigilant against phishing attempts.

Calls to Action:

It's not enough to just listen, let's strengthen our online defenses with these three actions:

1. Check if Your Data Has Been Compromised 🔍
   ▶️ Visit haveibeenpwned.com to see if your accounts have been part of a data breach.

2. Strengthen Your Passwords with a Password Manager 💪
   ▶️ Choose a reliable password manager to generate and store unique passwords for all your accounts. Read this PCMag article for detailed reviews and recommendations.

3. Enable Multi-Factor Authentication Everywhere 🔒
   ▶️ Activate MFA on all your personal accounts where available to add an extra layer of protection.

Thank you for tuning in to the Bee Cyber Fit podcast! 

Your digital security is our top priority, and we hope these tips empower you to take control of your online safety. Don't forget to subscribe, share, and leave us a review. Stay cyber fit and secure! 🌟

Learn more about Yale Cybersecurity Awareness at cybersecurity.yale.edu/awareness

Never miss an episode! Sign up to receive Bee Cyber Fit podcast alerts.

Transcript

[music]

Wendy Battles: Welcome to the Bee Cyber Fit podcast, where we're simplifying cybersecurity for everyone, where we cut through confusing cyber speak and make cybersecurity simple and easy to digest. I'm one of your hosts, Wendy Battles.

James Tucciarone: And I'm James Tucciarone, together we're part of Yale University's Information Security, Policy and Awareness Team. Our department works behind the scenes to support Yale's mission of teaching, learning, and scholarly research.
 
Wendy Battles: Ready to get cyber fit with us? Hey, everyone. Welcome to another episode of the Bee Cyber Fit podcast. We're excited you're here and hope you're ready to get cyber fit with us. If you're a new listener, welcome aboard. This is the place to come for information and a whole bunch of inspiration to stay safe online and outsmart cybercriminals. This podcast is one of the many tools in our toolkit that we use at Yale University to help our faculty, staff, and students build their cyber muscles.

James Tucciarone: Wendy, as you know, we've recently rebranded and expanded one of our core topics, use secure passwords to protect your identity. And when you hear the phrase “Protect your identity,” what comes to mind?

Wendy Battles: That's such a great question, James. I would say I think about using secure passwords, using password managers. I think about multi-factor authentication. I think about the things that I can do to be proactive so that I don't run into a situation where I find that someone has stolen my identity, or I try to log in to TurboTax, do my taxes, and find out that someone has already claimed my refund check. So, the proactive things that I can do to protect myself online, that's what I think of when I hear protect your identity. 

James Tucciarone: Those are spot on, Wendy. And besides the rebranding of one of our core behaviors, this is a great time to think about protecting our identities because of a recent leak of passwords, which we're going to talk about a little bit more after we hear about our buzzword of the day, password spraying. 

[music]

James Tucciarone: Do you ever reuse passwords across different accounts? Have you ever wondered why it's so important that we don't, stay tuned to find out about password spraying, how it works, and why strong and unique passwords are the first line of defense in protecting our identities.

Wendy Battles: James, you mentioned that there has been a leak of passwords, and I know that these days we pretty regularly hear about leaks and data breaches and bad things happening and cyber criminals getting a hold of our information, but this one was particularly exponential. Can you tell us about that, what happened?

James Tucciarone: Absolutely. And this was a big one. So, it was recently reported that about 10 billion stolen passwords were compiled from data breaches and uploaded to the dark web. 10 billion, Wendy, can you believe that? 

Wendy Battles: Actually, no, James, I can't believe it. That is insane. Not 10 million, but 10 billion. It is crazy. It is absolutely crazy. 

James Tucciarone: So, the file called RockYou2024 is considered the largest compilation of stolen passwords of all time. But the good news is the passwords aren't all from new data breaches. About 85% had previously been made available in a leak back in 2021. But that leaves around 1.5 billion new passwords that were collected over the last few years. And that's still a very scary number. 

Wendy Battles: Ah, yeah. James, it is, and I guess I feel a little better. But, of course, there's the fact that all these other 85% of these passwords were already involved in leaks. So, just the whole story is really disconcerting. That's what I'll say. And not to mention the implications that this has for both individuals and organizations. One of the things I see, James, is that when these leaks happen, we don't always know that we've been affected. It could be months; it could be years. It might be inadvertently we find out, or maybe not until later on when we get that letter in the mail. I'm guessing you've gotten these before, that some organization that has your information, you find out that they've had a breach and your information has been exposed.

And so that's one of the things that happens right, is that there's no warning sign to say this is happening and I've been affected. I guess what we can do though, is certainly pay attention to the news and be vigilant about it, so that when we hear things like this, we can go and we can look up who was impacted and what kind of information did they take. So, I think there are things that we can do, but I also think about this in the light of organizations as well. There are just so many different things that can manifest when people get our information. But again, just like with individuals, with organizations, we don't always know the impact right away. Or another example could be cybercriminals that are able to get in a backdoor of an organization and be able to monitor activity, what's going on, see protected information, get access to that information. 

So, there are implications for both individuals and organizations that speak to why it's so important that we are vigilant. And I guess the question I have for you, James is, “Is there something proactive that we can do when we hear about things like 10 billion passwords being exposed?”

James Tucciarone: There sure is, Wendy. And we've talked about it in the past, and that's using a tool like have I been pawned? Which allows you to enter your email address and check if your accounts have been part of a data breach. But Wendy, I think you've also made a great point about being vigilant. We really do need to be aware of when these breaches happen so that we can take this step and check to make sure that our accounts have not been part of a data breach, which leads me to the importance of using strong and unique passwords. So, we all know simple passwords are easy to crack. And Wendy, we've talked about this statistic in the past where an 11-character password using only numbers can be cracked in 2 seconds.

Unfortunately, once a cybercriminal knows they have a valid password, they can try it on other accounts. It's easy for them to try and guess different passwords too that use just a small variation, such as password one versus password two. Hopefully, nobody's using password as their password.

Wendy Battles: Right. 

James Tucciarone: I’d also want to mention the importance of multifactor authentication or MFA, and how we should be using these on all of our personal accounts, and how we should be using this on all of our personal accounts where it's available. 

Wendy Battles: All right, James. The importance of using strong passwords and MFA. And I like that MFA because we're talking about already using it at Yale. So, when we're doing anything related to our Yale accounts we’re using MFA, but also, to your point, this idea of using MFA for personal accounts. I want to introduce one more idea that I'd like all of you to consider if you are not already doing so. Remember, this is all about, “How do we protect our identity.” And one of the powerful things that we can do to help us is to introduce password managers. Using a password manager is a simple and effective tool to protect ourselves online. The concept of a password manager is that you have a master password that you remember. That is the key to the kingdom. But behind that, the password manager generates an individual password for each of the sites or applications that you use. You don't have to remember that individual super long password, you just have to remember the master password.

So that's one of the benefits of using a password manager. We have very long passwords that are hard to crack, so it's a pretty simple thing to do, and I bet you can imagine there are a lot of different password managers. So, the question is, “Well, how do I even select one?” And I will tell you that at the end in the show notes, you will be able to find a link to an article from PCMag that talks about the features of different password managers. It rates them, it tells you pros and cons, but helpful information to make an informed decision. But it's simply a really good way to go from writing your password down on a sticky that other people might see to having increased safety by using a password manager. So, it's really an effective tool to help us protect our identity.

James Tucciarone: Wendy, one of the other things that I really appreciate about password managers is that they can help us to identify a fake login screen. If we know that we've saved a password for a particular site and it doesn't automatically populate, then we're probably not where we expect that we are. So, let's talk a little bit more about fake login screens. Phishing messages often link to fake login screens and they probably look exactly like the legitimate ones that we're familiar with. We might also encounter fake login screens when we accidentally enter a typo when browsing to a webpage. Ultimately, these fake login screens try to trick us into revealing sensitive information, like our usernames and passwords, or our credit card numbers and other personal data. Wendy, do you have any tips you can share with our listeners about identifying and avoiding fake login screens? 

Wendy Battles: I do, I've got a couple. And it starts with being vigilant. By being vigilant I mean double checking the URL, that website that you plan to go to, to make sure there are no typos or slight variations because that is a tip-off. So, if you're going to target.com, it should be target.com, not targetoone.com, for example. So, something that might be very subtle or maybe off just one letter, you want to look for that because that's a clue, that's a fake URL. The second is to go straight to the source. Phishing messages notoriously include links to fake login pages. And when in doubt, if you simply type in that destination URL, you want to go to Target or some other site like Kate Spade, type in katespade.com instead of using the link that might be in the email that looks like it's coming from Kate Spade. So, a simple thing that we can do, it only takes a couple seconds to actually type in that URL.

Next, I want you to think about bookmarking trusted websites that you go to. That's how you can avoid that fake login screen link that might be an email by simply going to your bookmarks and going directly to that website that you know you have saved. And finally, look for the lock. And when I say look for the lock what I mean is that when you look at a URL and it says HTTPS, that's how you know it is encrypted and it is secure. So, if it just says HTTP, that's a red flag. You want to steer away from any URL that says that. So those four tips can help you identify fake login screens and avoid potentially becoming a victim of cybercrime. These are simple tips that you can share with your family, your friends, perhaps you have an older parent who isn't as savvy online. So, while you might be thinking, “I know all this stuff, do they?” So simple things that you can share with others. And on that note, let's hear more about password spraying, our buzzword of the day. 

[music]

James Tucciarone: Here's the buzz on password spraying. Cybercriminals typically have access to large databases of stolen usernames and passwords exposed in past data breaches. In a password-spraying attack. These bad actors use automated tools to blast these stolen credentials against any number of different online accounts, hoping for a match. This can happen on shopping websites, social media, your bank portal, or really anywhere you would log in. They’re essentially trying a bunch of different keys on a bunch of different doors, hoping one unlocks the treasure trove of your personal information. It might sound like a long shot, but here’s the problem. People often reuse the same passwords across multiple accounts. This makes it an easy target for password spray. 

Think about it like this, if you use the same key for both your house and your safe, a thief only needs to find one key to gain access to both. That makes these attacks surprisingly effective for cybercriminals. They’re also easy to automate, requiring less technical skill than other hacking techniques. This allows bad actors to spray thousands or even millions of login attempts in a short period, hoping to eventually stumble upon an account where the stolen username and password combination works. So how can we defend ourselves from becoming a victim of password spraying? We can use these simple tips to power up the protection for both our passwords and our identity, and create strong and unique passwords, or passphrases for every account. Better yet, consider using a password manager to take the guesswork out of creating complex passwords and then remembering them. 

Enable multi-factor authentication or MFA wherever possible. This adds an extra layer of security so that even if a cybercriminal has our password, they would still need that additional form of authentication to gain access. Be vigilant against messages phishing for login credentials. Be cautious about unsolicited emails asking for personal information or encouraging you to log into an account. Always go straight to the source when in doubt and keep listening to the Bee Cyber Fit podcast where we help you to be aware, to be prepared, and to be cyber fit. 

Wendy Battles: Well, James, this has been quite an interesting information-filled episode, if I do say so myself about how we can protect our identity. The good news is that there are many simple actions we can all take to protect our identity and avoid the situation where I know we all know people who have been victims of fraud in some way or something bad has happened. We don't want that to happen to ourselves. So, let's be proactive and we have several calls to action to help us do so. The first simple action we can take is to go to haveibeenpwned.com. The URL is in the show notes James mentioned this a little earlier in the episode. We can enter our email address and see if it has been involved in a data leak of some kind. 

Number two, we can research and choose a password manager, and we are linking to an article from PCMag that reviews password managers and is a great resource to help you choose one that might be a good fit for your needs. Finally, it's never ever too often to review and refresh our passwords to ensure that they are unique and strong, and that they are complex passwords, as James mentioned earlier. So, we can avoid the situation of easy-to-crack passwords. So those three things are simple things we can do to again, protect our identity. 

[music]

James Tucciarone: That's all we have for you today. So until next time, I'm here with Wendy Battles. and I'm James Tucciarone. We'd like to thank everyone who helps make this podcast possible. And we'd also like to thank Yale University where the podcast is produced and recorded.

Wendy Battles: Thanks everyone. We really appreciate you listening. And remember, it only takes simple steps to be cyber fit.

[Transcript provided by SpeechDocs Podcast Transcription]