It is that time of year where security professionals the world over end up talking with friends and family about security. It will be inevitable, almost as inevitable as someone wearing a stupid Christmas sweater they are a little too proud of.
The standard advice we've been giving for years is pretty simple:
- Don't re-use your passwords across sites
- Use a password manager
Anyone that has done technical support for anyone that isn't as familiar with IT knows well that as soon as you complicate something, you end up getting twice the calls, even for things that are not your fault; "Well, since you setup that password thing my printer won't print" ...
It is fantastic advice, it is where we should all strive to be, we should all have password managers and should never re-use passwords.
However let's change one single password. Start small.
There is likely to be a single account that is the root of trust for all other accounts. An email address, either at an ISP somewhere (and maybe this is the year you get them to switch from that old Earthlink email address?) or more likely a free email provider.
That's the account we want to target.
If we can secure the root of trust, the email address that can be used for password reset emails and for phishing we've already won a large battle. Individual accounts may still be "vulnerable", but now we've closed one giant hole.
After all, we all learn to walk before we learn how to run. This small step can set the tone for even more and better security later.
Should we go further? Absolutely, identify the primary accounts that are high risk, as an example:
Facebook Login/Twitter is used across many different websites, Apple's iCloud allows remote wipe of devices, and Microsoft Account is used for access to local machines and likely to OneDrive and other online accounts storing personal documents and files.
There are many more that I am missing, those can be next, but even the above tend to roll back up to a single email address.
There is nothing new under the sun, and password re-use is well known and ridiculed, even Randall Munroe of XKCD fame published a comic about password re-use a long time ago, however there is one comic that comes to mind to help create better passwords:
Pick four random words from the English language, create a funny sentence and
you are off to the races. Don't use
correct horse battery staple as a
password, it's a terrible password now, but the idea behind generating such a
password is fantastic.
Just changing one password can increase someones security posture just a little bit, and who knows, next year you'll have received less spam email that can be traced back to their address book being siphoned off and then abused.
For bonus points, have them sign up for ';--have i been pwned?, now each time a new service is breached your friends or relatives will get a little bit of notice, and can get an idea for why different passwords are a necessity these days, and maybe next year they will ask you to show them how to set up that password manager so they can be even more secure!
Happy Holidays, and good luck with your IT help desk duties this year, especially getting that printer driver installed, because lets be honest, we'll get blamed for the broken printer in two months whether we touched it or not.