Question about cybersecurity
Hi all,
I'm no expert on cybersecurity, so please be patient with me. It seems that every day, a new disclosure of a hack comes out. The SEC was hacked. We all know about the Equifax debacle. The list goes on and on.
I know *some* information must be kept online, but a simple (but maybe unworkable ?) solution is to take a lot of the super-sensitive information offline or make it even more difficult to access online somehow (2 factor authentication, etc).
You all in IT, please tell me the practical problems. It almost seems as if we need to go back to sneaker-net with a lot of sensitive information. Thank you in advance!
Steve
your happy CHaS host
earthshine
(1,642 posts)Equifucks tried to make a business model out of this.
The execs benefit by selling their stocks high before the value falls.
The company benefits more from a world where data is insecure and can sell subscriptions to people who have to constantly check their credit reports.
The FEC admits that the info was used for insider trading.
Follow the money. This all happens by design.
steve2470
(37,468 posts)BadgerKid
(4,679 posts)The Yahoo hack years ago (which one, right?) spurred me on to use two-factor authentication (2FA) for personal accounts. Short of 2FA, your best bet is a long passphrase. The use of multiple character classes in passphrases is good but not as necessary for sufficiently long passwords ... I'm guessing somewhere over 10-12 characters long. There are web sites discussing the crossover point. The use of a unique passphrase for each online account is best. Make use of secure (https) connections where possible. Changing your passwords regularly, while annoying, does help; in the event that archived user account data is hacked or stolen, you don't want those passwords to be valid. That's another reason for unique passphrases across all your accounts.
There are things on a provider's end that we cannot control. Some have a maximum passphrase length like 8 characters, and then there's the 4-digit PIN like those used on bank ATM accounts and smartphones. That's weak regardless of mixing lower case, capitals, numbers, and punctuation. There's also the issue of how passphrases are stored. Clear text is obviously bad; hashes are appropriate. If hashes are used, then the hashing algorithm ought to be sufficiently advanced. Fortunately, many web sites deactivate your account after too many failed attempts, forcing you to reset using email and/or security questions. That's another reason to have 2FA.