As an online merchant, I have to review my company’s security procedures to retain PCI compliance. Whilst I am not sure of the merits of PCI compliance — I cynically believe the fees are just another charge from the banks — it at least forces me to think about security, which is no bad thing.
To achieve PCI compliance, a merchant just has to say yes or no to a list of questions. I can do this on autopilot. But the real value is if a merchant actually thinks and does the things he is saying yes to.
This is especially the case with passwords. A basic review would ask three simple questions.
- When you register at a new site, what password do you use?
- How do you remember the password for a site?
- What happens when you forget a password?
These days, secure sites require strong passwords — typically eight to 10 characters long with a mixture of numbers and uppercase and lowercase letters. The stronger a password, the harder it is to remember.
1 password for all sites?
Many people get around this by using the same password for all sites. Thus their security is only as good as the least secure site. If one site is compromised, then all their secure logins are compromised. Likewise if they create a password using a predictable formula based on the site name and a common prefix or suffix, this too is vulnerable — one site would quickly expose all the others.
The only safe thing to do is have a unique randomly-generated password for every site you need to log into. This could easily be 50 sites or more. So how can you remember all of these passwords?
Most people rely on the browser to remember. Whilst this is simple and automatic, the security of your passwords is poor. Any knowledgeable person with access to your computer could get a list of all your passwords within seconds. This is because the browsers all list the passwords in known files on the computer.
Whilst physical access is best for such devious enquiries, remote access is almost as good. There are two ways to obtain remote access. First, there’s the virus or Trojan, which transmits your passwords to a remote location. Second, someone can hack into your network, either via Wi-Fi, or your router.
Changing factory settings
So, how good and up-to-date is your anti-virus software?
- When you installed the router did you change the admin user and password from the factory defaults?
- Is the Wi-Fi name and password still the ones written on the side of the router and on the box it came in?
- Do you actually broadcast your Wi-Fi name?
- Do you physically limit the devices that can log into your network by restricting it to a list of MAC addresses?
- Just how wide open is your network?
Taking a few minutes to change the factory defaults and securing your network is time well spent.
If you decide not to let the browser remember your passwords, you presumably need a secure way of storing them. One of the best, and certainly the cheapest, is pen and paper with a locked drawer. I have yet to hear of any computer hacker who can access this. The only way to breach this online is for someone to watch you type in your passwords. Anti-virus software, again, can prevent this.
Software for randomly-generated passwords
However, typing long, complex passwords is time consuming and error prone. It is much easier if the password and username were pre-filled, just like using a browser. But, there is software to do this more securely. I use one called LastPass.
There are others that are likely just as good or even better. I have not used them so I am not in a position to compare them or recommend one. They all work in a similar way. They offer an option to randomly generate a password when you first register for a site. They keep the passwords safe in an encrypted file. They pre-fill the fields as needed. They are like using the browser, but safer.
No method is foolproof. There will presumably be times when you forget your password. Most sites offer the ability to reset passwords. You click on a link and an email is sent to your registered email address. You can then change passwords.
This is a large loophole in your security. It means that no matter what you do to secure your passwords, they are only as secure as your email.
How to secure email
So, how secure is your email? How good is the password on the email account? An email account is like the master key to all other accounts. It should be ultra safe. Do you, like most of us, use your regular email address to register at all these sites? Why?
It would be so much better if you used a separate email address to register these sites. This is because you want to access your email from anywhere, such as from the coffee shop Wi-Fi or the library computer.
It would be much better if you separated your email accounts into two accounts: one for everyday communication and a second for registering at secure sites. This second account you would never access unless you are 100 percent secure. Otherwise, if you access from an insecure location, a hacker could determine your email password. Once he has that, it is a simple task to log in to your email server and pick up any password or request a password reset.
So, the next time you update your PCI compliance, stop and think. Consider securing your passwords. It does not take long. If nothing else, it will give you peace of mind.