It was inevitable. With so many serious data breaches over the years (including Yahoo’s 3.5 billion records breached, Marriott’s 500,000,000 records breached, Adobe’s 152,000,000 records breached, eBay’s 145,000,000 records breached, etc.), hackers have compiled a massive list of usernames and passwords on the Dark Web. Recently, two aggregated collections went “public” after being sold on the Dark Web for years. One collection includes 773 million unique usernames and passwords. The other collection consists of 2.2 billion unique usernames and passwords.
Why should cities care? A researcher who works for Microsoft, Troy Hunt, created a website where you can check your email address against a database of these stolen credentials. For example, one of our colleagues uses a Gmail address that he barely shares with anyone. He inputted his Gmail address into Hunt’s database and the following came up:
- His email address, password hints, password, and usernames were exposed in the Adobe data breach of October 2013.
- His email address, password, and username were exposed in the Dailymotion data breach of October 2016.
Luckily, our colleague has changed his Gmail password multiple times since these dates. However, even with an email address that he barely uses or shares, our colleague’s password could have been at risk (and may still be at risk in some ways, such as with password hints that were stolen in the Adobe breach).
Troy Hunt’s website is a legitimate, trusted site. Feel free to input your email address into it to see if you may be at risk. Most likely, you are. And you will see that your email address was exposed in a few or many breaches.
What to do? Our usernames and passwords are becoming more exposed and available to even amateur hackers after years and years of severe data breaches. All is not hopeless, though. Here are some password best practices you can implement to protect your city (and yourself personally).
Change your password if haven’t changed it in a long time.
Let’s start with the obvious. If your password has been breached and you haven’t changed it since that breach, CHANGE IT.
Secondly, if you haven’t changed your password in a long time, then change it—even if Troy Hunt’s database doesn’t suggest it’s been affected. The longer you use the same password, the higher the likelihood of exposure to a hacker. And anyway, it’s likely you’ve used one or more of the services over the years that have gotten breached, which include commonly used banks, retailers, and online services.
Implement Two Factor Authentication (2FA).
Even if a hacker does steal your username and password, 2FA presents a hurdle that’s hard to get past. For example, when you sign into your email, you might need to input a code (something like a random number) generated on a mobile app on your phone. If a hacker tries to breach your account, they would have to have your phone, be able to log in to your phone, and then obtain a current code generated by your mobile app that expires every 30 seconds in order to get into your account.
2FA might seem annoying sometimes because you must input a number along with a password. It may take a while to become habit for employees. However, 2FA adds another layer of protection that significantly decreases the likelihood of a hacker succeeding.
Consider using a password manager.
If you haven’t heard about password managers, they are services that automatically generate strong passwords, remember all your passwords, and encrypt them. In other words, a password manager helps you implement specific password best practices without you having to think about it. Your IT staff or vendor can help you implement a password manager across your organization. Once implemented, they tend to work smoothly in the background and make your life easier.
Develop a password policy for your city.
The above best practices are tools and tactics. For the long-term, you need to strategically develop a password policy that enforces best practices to keep you safe. A policy would outline:
Follow password best practices.
- Specific rules around the creation of passwords for employees, including changing passwords on a periodic basis.
- Requirements for training related to your password policy, including reviewing best practices.
- Rules around protecting passwords—from sharing them to writing them down on sticky notes in plain sight of others.
- Automated rules that are enforced (such as requiring strong passwords or preventing someone from logging in if they repeatedly input the wrong password).
- Authentication requirements that may go beyond a password (such as 2FA, the use of tokens or biometrics, etc.).
We’ve written about password best practices in the past. To recap a few of the most important:
- Use a password on all your devices. This includes tablets and smartphones.
- Use strong passwords. We recommend using passphrases (which are long phrases that are easy for you to remember but difficult for a hacker to guess). You can also use complex passwords (a long string of letters, numbers, and symbols).
- Do not write passwords down and leave them visible. We still see too many city employees writing down passwords on sticky notes and attaching them to their computer monitors or in notebooks that they place inside a desk drawer. Anyone walking by could snap a phone picture and use that password to later break into that employee’s account.
- Do not use obvious passwords. Here is a list that you can check. If you are using one of these, then change it immediately.
- Do not use the same password for all systems you access. If a hacker gets a hold of your username and password, then they can access all your accounts—rather than just one.
Because of the cybersecurity landscape we find ourselves in today, we must be more vigilant and stricter about how we create and use passwords. The above best practices will help your city protect itself in this global environment where we continue to regularly hear of newer, larger compromises putting more and more people at risk.