Password security issues have been going on for a long time. Back in November 2014, a webpage started livestreaming security cameras from around the world that had not updated the default credentials. In the US alone, there were over 11,000 cameras livestreaming; a year later in December 2015, there were still almost 6,000 cameras live. [CSOonline.com]
Then in December 2019, many Ring camera accounts were hacked – not with default passwords this time, but actual hacks on accounts without two-factor authentication. [vice.com]
What exactly is two-factor authentication? Two-factor authentication means a second confirmation after your password. This second method is often sent to your cell phone as a text or through an app, which you then input or confirm. Many banks require this, but there are also lots of other sites which have it as an option, like Ring.
While many people see this as an inconvenience, it is a safety feature and it’s becoming the new standard for security.
A good analogy for this is a deadbolt on your door. Your door handle has a working lock, but it is not too hard to get through that lock.
As a second security method, you turn your deadbolt to make it much harder to access your home. That is your physical two-factor authentication – and if it is important enough for entry physically into your home, it should be important for virtual access as well.
Even if you do not have two-factor authentication, at least changing the default passwords and using different passwords across all your accounts are vital steps to more secure accounts. While it’s very convenient to have one password for all your accounts, it also means that if one account is compromised, they are all compromised.
If a hacker gains access to an account and you use the same password for your email, they can “verify” account ownership and change your passwords to lock you out.
That’s why your method of two-factor has to be secure too. If you have verification codes sent to your email and your email password is “password,” that second factor is not helping. It’s just a second “door” that a hacker can walk right through. Not much of a defense.
Going back to the importance of changing default passwords, most of us own a lot of devices in our house that are network-connected. And it is very easy to plug them in, take all the defaults, and go on with your day.
If you live in an area with a lot of neighbors nearby, take a look at the wireless networks you can see.
From my desk at work, I can see over ten networks that are outside of our office. The signals from unsecure devices aren’t kept within the walls of your own home.
A quick Google search can tell you the default username and password of almost anything, including unsecure devices that might be in your own home. In the Symantec Internet Security Threat Report for 2019 [https://docs.broadcom.com/doc/istr-24-2019-en], 60 percent of the IOT attacks (Internet of Things – meaning everything Internet-connected) used a username of “root” or “admin” and over 40 percent of the attacks used a password of “123456” or left that field blank. Not the work “blank” – an actual password of nothing.
People almost always worry about security in some form: we lock our cars, our houses, our cell phones. The same philosophy should be applied to our technology.
Take the time to change your passwords, use varying passwords, and change them periodically. It does not take much of a hacker if we don’t bother to lock our own doors.