In 2015, the frequency, scale and impact of data breaches increased exponentially. While the motivation for these attacks has enjoyed much conjecture in the media, online forums and, in the cloistered circles of the intelligence community, the truth lies only within the hearts of the adversary.
For the rest of us, the impact was the same: personal data I entrusted to a corporation or agency was exposed, and, there is nothing I can do about it.
For context, the Top 10 breaches in 2015 (by size) were:
- Slack: 500,000 accounts
- Hacking Team: 1 million emails
- Kaspersky: multiple prominent customers
- CareFirst BlueCross BlueShield: 1.1 million subscribers
- LastPass: 7 million users
- Premara BlueCross BlueShield: 11.2 million subscribers
- Experian/T-Mobile: 15 million credit applications
- Office of Personnel Management (OPM): 21-25 million federal employee records
- Ashley Madison: 37 million clientele records
- Anthem: 80 million patient and employee records
Excluding Kaspersky, that list totals 177.8 million records breached, affecting an unknown number of people and exposing email addresses, passwords, Social Security numbers, patient records, personal peccadilloes and identified which U.S. workers possessed a Top Secret clearance.
For perspective, in 2015 the population of the United States was 321 million citizens. If each breached record from the top 10 represented a person, 64.6% of U.S. citizens got hacked.
2015 was a watershed for large scale and high profile data breaches, with fallout affecting economics, trade and geo-politics for years to come and incidents that continue to this very day (May 20th, 2019 – the internet company Chtrbox hosted a publicly accessible database of 49 million “and counting” Instagram influencers on AWS).
Despite years of even higher profile breaches encroaching on everyone’s online personal information, an overwhelming majority of users continued using short, simple and highly predictable passwords.
To make matters worse, most users only used only one password, the same password, for every computer or service they encountered.
Annual breach reports from carrier networks like Verizon indicate that more than 80% of breaches are caused by weak or reused passwords.
Astute criminals understood this and developed tools to immediately use passwords plundered from one breach to gain authorized access to other online services (banks, social media, etc.) with no indication of compromise and few traces for defenders to trace this activity.
If an adversary exfiltrated an encrypted database, they spun up large, inexpensive cloud computing instances to run expensive cracking jobs against the data to convert them into plaintext.
Users lost trust whatever online service was breached but moved to the next one and did not change their behaviors. Rinse, repeat.
Because it’s more secure.
Very little in the online landscape has changed since since 2015 (or 2005, or 1995) but password managers are a welcome change.
A password manager provides multiple features to fortify your credentials, make them easier to store and access during use and prevent you from becoming an easy victim of identity theft.
- Random password generation
- Encrypted storage of your credentials
- Browser integration for capturing passwords and filling in login forms automatically.
- Password hygiene
- Automated device synchronization.
Stop making up passwords you think are strong – they are not. Use the password generator in a password generator for creating passwords that are harder predict and harder to crack.
Password managers store credentials and secrets in a vault that is encrypted by your device. When secrets are transported they are encrypted.
Password managers have browser extensions to handle password capture and replay. When you login to a secure site, it offers to save your credentials. When you return to that site, it offers to automatically fill in your credentials. If you have multiple accounts on a site, there are features to support storing more than one credential for the same site.
Password managers identify weak and duplicate passwords and help you replace them with stronger ones. Some offer automated detection of breaches for your sites or will replace your weak passwords on your secure sites for you in the background.
Password managers work on all your devices: desktop, laptop, mobile phone or tablet, some even have watch apps that help you login to sites using a tap on your wrist. Your credentials can be accessed from any device to authenticate into any secure site. Mobile device integrations also support vault access using Touch or Face ID features.
Some say passwords are on their way out, that user identity can be authenticated via other means. There are reasons to believe this may be the right path forward.
However, before new designs are validated, verified and deployed on a wide scale, password managers are clearly the best way to fortify your online identities and avoid becoming a victim of identity theft.
Password manager recommendations: