PORTLAND, Maine — 207’s tech guy, Rich Brooks of Flyte New Media in Portland, started out with this simple premise: As we put more of our sensitive data online and rely more on social media channels and other digital platforms, we attract more scammers and hackers who want the data. That leads to a question. How can we protect ourselves?
Rich joined us on 207 to talk about these issues. Here are the talking points he provided.
207: "What is the answer to better protection...is it just tougher passwords?"
Rich: "Passwords are broken. They may have worked in the past, but they are problematic.
"Because we have so many passwords these days for our websites, online shopping, email, social media accounts, financial services, and so on, we take shortcuts. We reuse the same password over and over again, or we make them easy to remember (and thus easy to crack), or we write them down on sticky notes around our desk or keep them on a document on our computer.
"Even if we're careful, passwords are vulnerable to server breaches, like the ones that are in the news seemingly every day—which we can't control—or to social engineering hacks like phishing, which is how hackers often get us to share our passwords with them."
207: "So, if passwords are no longer effective, what can we do?"
Rich: "Well, many sites and services, especially ones that store sensitive data, now offer two-factor authentication, or 2FA. That means that when you log in with your username or password you are prompted to provide a 6-digit code, often sent to your mobile device on file.
"This is more secure because to access your account, someone needs your username, password, AND to have access to your phone. However, the way that many of these 2FA systems work is by sending you that temporary code via text or SMS. Unfortunately, many hackers use a SIM card hack that can capture your incoming messages, so they can still get in.
"A more effective approach is using an app called an Authenticator. There are a number of free ones out there, and I personally use the one from Google, which also allows me to get 2FA codes for Apple, Facebook, and any other company that uses this level of security.
"2FA also lowers your chance of falling victim to a phishing attack or even a server breach ... as long as you're not using the same passwords for every site."
207: "What if we have really sensitive data, or just feel that we need more security?"
Rich: "If you want to take things to the next level, you can use a hardware key. These can physically plug into your computer and connect to your smartphone either through the port or using NFC or Near Field Communication.
"With a hardware key, you never have to remember your passwords, because the key does it for you. It's best practice to have a backup key because if you lose your key, you're locked out of your accounts. Maybe for good.
"Some of these keys also use touch ID, or biometrics, as an added layer of security.
"Yubikey, from my research, appears to be the industry leader, but whichever you go with you want to make sure it's compatible with all your devices because we often use multiple devices to log into your social media accounts, bank accounts, and so on."
207: "I've heard something about passkeys ... how do these fit in?"
Rich: "This may be the future. Digital passkeys solve many of the problems that passwords have.
"Similar to the chip on your credit card, a passkey will create a one-time key that works with websites and apps that accept them. They do this through biometrics—a fingerprint or facial recognition most often—on your phone or computer.
"This makes them almost impossible to hack. In addition, no longer do we need to worry about remembering our passwords, being a victim of a server breach, or falling for a phishing scam.
"Another great thing about passkeys—both the digital and hardware types—is that they protect against fake sites that pretend to be your bank's website or app. One method hackers use is cloning your bank's website, then sending you an email that tells you there's a problem and you need to log into your bank's website, but they send you to the cloned site. You enter in your username and password, and suddenly they have full access to your account. Passkeys only work on the sites where they were created, so they won't work on a cloned site."
207: "What are you doing for your own security?"
Rich: "After doing this research, I'm moving away from creating my own passwords. Now, not every website uses passkeys yet, so I'm moving to a password manager like 1Password so I don't have to remember all my passwords, and I don't have to write them down on sticky notes. For sites that do use passkeys, I'll be using those.
"I'm also going to be sharing this information and advice with all of our clients, as I'm concerned that many of them are using simple passwords like pet names or birthdays, and others are reusing the same password on multiple sites. I can't count the number of times businesses came to me last year and said that they lost control of their Facebook business page because hackers got into one of their employee's personal accounts, and used that to take over the company account.
"But the most important thing is staying on top of the changes; what's 100 percent secure today may not be secure in five years, or even in five months. With more of our sensitive data being online or stored on digital devices, we need to stay on top of this to protect ourselves."